Login in with just url-arguments

Today I learnt something I had no clue about was possible, how to just use url-arguments to login to a notes database on the web.

The idea is simple:


You can read more about it here: http://vinceschuurman.com/home/ndt4.nsf/(LUBlogContent)/200704151737

  • http://ABData.CH Andy Brunner

    Well this works only for basic authentication (browser popup and not for the session authentication (with domcfg.nsf)

  • Joachim Dagerot

    No, that’s incorrect. It does work for session based logins. Maybe you are mixing up this approach with the old username:password@http://server URL?

  • http://ABData.CH Andy Brunner

    Ups – You are right. I meant the old username:password login URL.

    Sorry :)

  • Joachim Dagerot

    You’re welcome! :)

  • http://dominounlimited.blogspot.com Andrei Kouvchinnikov

    And you also can logout using http://server/MyMailFile?logout

    To hide username and password in login request you can send them with POST request type instead.
    POST http://server/names.nsf?Login HTTP/1.1
    Content-Type: application/x-www-form-urlencoded

  • http://dominounlimited.blogspot.com Andrei Kouvchinnikov

    A slight error in the previous example..
    POST /names.nsf?Login HTTP/1.1
    Host: http://www.server.com

  • Joachim Dagerot

    @Andrei: A cool thing with doing a post instead, without using domcfg!

  • Pingback: Fast payday loans.()

  • http://ezscript.nl leo

    Security ISSUE:

    For sure the names.nsf?Login&Username=ME&Password=Secret&redirect is NOT safe because it gets LOGGED on the domino server in the domlog.

    When someone opens this logfile and searches for the HTTP GETS your user credentials will become available to that person.

    SO DO NOT USE this method if you want to keep you user credentials safe.

    I am making a tool that keeps you credentials safe and still provide login automation. See: http://ezscript.nl

    Like Andrei suggested I am using the HTTP POST for login in (The POST data will NOT BE LOGGED by domino, so your credentials will be safe)

    thnx, Leo

  • Jafa


    You have one typo, REDIRECT shoud be REDIRECTTO. Now it’s works nicely. Thank you.

  • Elias Santiago

    UNSAFE method!  


    – URL gets saved in Domino server log (domlog) making credentials available to anyone with that access (mentioned below)
    – URL gets saved in browser history, making credentials available to anyone just by looking at the browser history

    – temporary files in browser cache get named with the url+credentials. Available to EVERYONE since the temporary files must be available to ALL users of the computer (Windows). Unless, the browser/system is configured to use the temp files under the user profile, but still has the potential to be seen by admin users of the system. 

    – If the internet access is by using a proxy service, user credentials will be exposed to any log the proxy saves/uses. 

    – Potential of user credentials exposure to search engines (e.g. Google Chrome, etc.) 

    – Potential of user credentials being saved in a browser cookie, available to other domains. 

    – Using http protocol exposes the user credentials in cleartext.

    – No security offered by http protocol (plaintext transfer).

    – Not enough reasons so far?