Comments on: Tip: Easy Salesforce Logins

By: Judi Sohn

Judi Sohn — Sun, 05 Jul 2009 13:58:00 +0000

Good to know, thanks!

By: Thomas R. Hall

Thomas R. Hall — Sun, 05 Jul 2009 13:45:06 +0000

JP Seabury beat me to it on the hex encoding.

Something else to consider about using a “GET” URL (where you provide your username and password as part of the URL) is that it is a bit more of a security risk. Even if that link is only on your machine, once you click on it, the full link is available in the web server logs on Salesforce’s servers _in plain text_. So any sysadmin who has access to the web server logs would know your user ID and password. Just a word of caution. Using something like Roboform, KeePass, 1Password, etc. is a better way, if possible.

Note that if you use a “POST” request, the data is not passed as part of the URL, and thus not in the web server logs.

By: JP Seabury

JP Seabury — Mon, 29 Jun 2009 15:22:14 +0000

Great tip. In the past, I’ve implemented this for a few members of our executive team — who were constantly forgetting their passwords. It is “dangerous”, so your warnings to use it sparingly and only in tightly controlled circumstances is spot on.

The %40 is the hex-format for the ascii control character code for the “@” symbol. There are certain characters that you can’t include in a URL address (like space, the “@” symbol, etc.). For these, you need to encode them in their hex format. For the desperately curious, more details here: http://www.csgnetwork.com/asciiset.html

If you’re concerned about this method for security reasons, then I highly recommend RoboForm (http://www.roboform.com). The application is free for up to 10 different accounts. I fell in love with the mobile version of this, which lets me securely keep my passwords and logins to all my different Salesforce and Developer accounts on a USB drive. It’s definitely worth looking into.

Great post, Judi!