The described systems, methods, and data structures are directed at data transfer using Hyper-Text Transfer Protocol (HTTP) query strings. A block of data is partitioned into sections. Each section is encoded in a query string of a HTTP message. Each HTTP message is sent to a server by redirecting through a client. Multiple redirected messages are sent until the entire block of data is transferred to the server. The data block may be stored as a cookie on the client so that the data block does not have to persist on any server. Data transfer using HTTP query strings may be implemented to transfer a security token from a security token service (STS) server to an application server.