Well, first of all, it would be best to wrap your entire path in a URLEncodedFormat(). This ensures that any special characters in either the hashed PW or the UN are URL-friendly.
What I would do is set a variable into your APPLICATION scope that is a seed. When you pass the password, use Encrypt on it with the seeded value. This way, when your CFC gets the request, it can use Decrypy, and has access to the seed value in the APPLICATION scope in order to determine the actual value passed by the user, and perform authentication at that point.
Thanks Aegis for your response...
Please correct me If I took it ,what you were trying to convince , in different sense.
I don't think you want to urlencode the entire path, only the variable values of username and password.
Security wise, you might want to put a little more thought into alternatives. Two issues that come up immediately in my mind:
- Even encrypted, the password is still usable by the intended user and anyone that can get to the browser cache. To mitigate this you'll want the encryption seed to be short lived and/or put a timestamp in the password and don't accept passwords that exceed some period.
- If you must comply with any sort of security program (like PCI), most scanners and assessors will red flag code like this because it is unsafe -- even with short lived seeds.
That said, can this be tied to session security instead of URL query parameters?