Please also have a look at Manual enablement of login using HTTP GET to avoid unintentional leakage of user credentials in Apache's access logs