Using a query string on a link to pass the username and password.

Is there a way to add a query string to a link so that it will automatically log someone in to a site when they click on the link.  For example:  Internal user on the intranet clicks on a link to say "Experts Exchange".  The link will take them to site and log them in with the company user name and password.  Thank you in advance for your help.
Who is Participating?
You need to view the source of the page with the login form and then construct your querystring so that it includes all the form fields and relevant values.

Using Experts-Exchange as an example, you could use the following link:

This URL includes all the form fields found on the Experts Exchange log in form.

This relies on sites using the less strict Request("Field") instead of the more strict Request.Form("Field").

Those that do use Request.Form("Field") will not work with the above method.

I have to say that embedding usernames and passwords into querystrings is generally bad practice because your users can either view the source of the page with the link to see the username and password or they may see it in the address bar (if the page doesn't redirect) when they click the link.

Hope this helps


I'm not sure I understand your question but here's a shot:

Only if the site has a server program that is looking for those query strings and logging people in. No site that I know would ever do that but you might have your own setup in which case it would work (but pretty insecure since login info is rarely not encrypted).

in any case, you can add any name value pairs to a link which can be easily read by the server:
<a href="">test link</a>

Login forms are supposed to use POST (not GET), so an url should not work.
But it should be possible to reproduce the login form on your page:
Replace the <input type="text"> with <input type="hidden" value="myvalue">
where "myvalue" correspond to the text you enter in the text input.
Have your form submit to the server's login page and you should be able to login.
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

if you're using a username and password, the assumption is that you'd want some from of privacy protection. so if you aren't using a form with post/get then you should probably be trying to use a cookie that contains the username/password and set it to expire after x number of hours or days. (with vbscript).

if its just a thing like 'guest' 'general pass' that goes to a lesser protected end of the site (even intranet) then you could do what Oh4cryingOutloud said.
<a href="">test link</a>

<a href="file.ext?usr=blah&psw=blah">link</a>

or if anyone can go there anyways, why have with a username/password? just give them a general link maybe?
Ok, i'll code it:

<style type="text/css">

body {
  background-color: #ddd;
  color: black;


<form method="post" action="">

  <input name="msuLoginName" type="hidden" value="jsmaling">
  <input name="msuPassword" type="hidden" value="%your password goes here%">
  <input name="msuLoginSubmit" type="submit" value="Experts Exchange">



This uses an input to submit the form, but you can replace it with a link if you want, just use javascript to submit your form from the link.
Like a lot of others are saying, you will not find many sites that check for their users using a querystring. I for one, would not visit such a site.

That set aside, you cannot control the other sites (unless they are your own) so there is no way of making sure that you can log in your users automatically. Even IF they would have set up their site to allow logging in using querystring variables, there's still the chance they check for a referrel URL to be their own site, I would do that if it were my site. Again that would render your querystring useless..

So that said, it's possible, but not likely you will get that working.

jsmalingAuthor Commented:

The link is going to be internal and we want our users to have the information without having to remember it.  This link actually worked for us.  How would I make it go to the homepage instead of the web development page?
jsmaling, why not using a form?  that's the correct way to do it.

the big problem of sending sensitive data inside an url is that the url gets logged on the webservers, so your password will appear in the webstats reports.  also, if you are not correctly redirected and you click on an new link, that url will be sent as "referrer".
If you get the url of the page you want to redirect to you can use it as the value for the redirectURL key in the querystring. This is specific to the EE site and is unlikely to work on other sites.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.