It is indeed not possible to pass the username and password via query parameters in standard HTTP auth. Instead, you use a special URL format, like this: http://username:[email protected]/ — this sends the credentials in the standard HTTP “Authorization” header.
It’s possible that whoever you were speaking to was thinking of a custom module or code that looked at the query parameters and verified the credentials. This isn’t standard HTTP auth, though, it’s an application-specific thing.