?parameter=value[¶meter=value] is standard notation for GET-ing parameters to a web server.
https://username:firstname.lastname@example.org/ is standard notation for the old "auth" mechanisms associated with HTTP.
The LuCI repo would probably be the one to check as to when the old "auth" approach was replaced by the "modern", session-based approach.
modules/luci-base/luasrc/view/sysauth.htm goes back to at least 2014.
$ git log --pretty='%ad %cd %s' --date=short modules/luci-base/luasrc/view/sysauth.htm
2018-06-19 2018-06-23 luci-base: globally cleanup markup
2018-05-31 2018-05-31 luci-base: use common alert message markup
2018-04-04 2018-04-04 luci-base: use FULL_REQUEST_URI on login form templates
2016-08-18 2016-08-18 luci-base: properly style login alert message
2015-10-06 2015-10-06 Globally convert headline anchors into name attributes.
2015-01-16 2015-01-16 Update my email addresses in the license headers
2015-01-16 2015-01-16 Globally reduce copyright headers
2014-12-03 2015-01-08 Rework LuCI build system
There is also an RPC system intended for this kind of thing. That is probably a better match, as it doesn’t involve screen scraping. I believe, but have not used it myself, that it supports non-root users. See, for example https://github.com/openwrt/luci/wiki/JsonRpcHowTo and https://openwrt.org/docs/techref/rpcd