Hi Bob, I agree using POSTs rather than GETs is better practice for most forms, but there is little effect on security.
A POST is barely more secure than a GET. POST data is sent clear-text. The only advantage is POST data is not stored in log files because the data is not in the URL. Log files should only be accessible to administators. Administrators have other methods to learn passwords so this advantage is rarely relevant. Enabling SSL encrypts the URL (including GET data) and POST data while in transit. Security is the same whether using the GET or POST methods. GET data can still be found in the logs because the decryption happens before the web server sees the request. This is still irrelevant. GET data is limited because URLs should not exceed ~2000 bytes. That should not be an issue with the login URL. The intention is GET requests should not cause side-effects on the server. Side-effects are defined as saving permanent data on the server. Login does not save permanent data to the server so this is not an issue. An advantage of using GET is the username and password may be stored in a bookmark for easy access. Normal people do not know this is possible so this feature is only a concern for techies. In most cases, anybody with access to the log files also has the ability to trap POST data. I cannot find a real advantage for using the POST method for login. solprovider On 5/2/07, Bob Harner <[EMAIL PROTECTED]> wrote:
As an aside, you might want to make that form method a POST instead of a GET. See http://issues.apache.org/bugzilla/show_bug.cgi?id=38383 (and http://www.mail-archive.com/[email protected]/msg02917.html for more details)
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
