Hy!
> >
> > On Tue, 12 Mar 2002, Ralf Dreibrodt wrote:
> > > tail -n 1 /var/log/apache/access.log
> > > 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] "GET
> > > /cgi-bin/login.pl?user=admin&password=tztztz HTTP/1.1" 200 148
> > >
> > > to whom belongs this problem?
> > >
I would say firstly the programmer who used GET for a password field, _and_
secondly the admin who is giving his password to a non-SSL web form!
> >
> > The programmer. There's no reason I know why the logs shouldn't be made
> > public to the users.
>
> Should really be every request a POST-request?
> I do not think, that this is a good (html)programming style, but perhaps
> i am wrong.
>
There is no reason to make every request a POST-request.
You should use post request if the request contains
- a password field
- a lot of data
- data witch may modify a database at the server-side
There is no reason to use POST if the request contains only parameters like
- keywords for a search engine
- a session id
- a page number
I think i've read about this in a RFC, but i don't know exactly in witch
one.
> what about apache-ssl-logs?
> has anyone the possibility to test it?
>
Yes, it's the same: everyone can read it, and the full GET requests are
enclosed.
The ssl extension only means that the server communicates over https instead
of http.
regards,
Tibor Repasi
