> Yes, a query parameter is an option. The reason I > don't want to use query parameters is we have a > standard to avoid using them if at all possible as > they expose data to the user. This particular piece of > data in question doesn't present a security risk by > being exposed, but exposing it does go against our > standards so I'd like to find another way to pass it.
I would just like to point out to anyone reading this list that the technique mentioned above, "Security Through Obscurity," is totally invalid. Do not believe that simply because you are not explicitly displaying information in a browser to a user directly that you have done something that mitigates any security risks. A knowledgeable, lucky, or well-read user can find out anything the client is doing. I would just like to see people understand that whether you post or get, the information you submit is easily viewable by your users. I had to spend two hours explaining to one of my companies "developers" that just because he posted the user login instead of getting it, he was not providing adequate protection for the password. That is all.
