I concur. -- -a
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." --Einstein On Sep 14, 2009, at 11:41 AM, Rob Heittman wrote: > Quick pragmatic security note on this: > > I actually disagree with this statement. Using GET to pass login > parameters is fine, and in some cases preferable (particularly as it > relates to client caching). If you're concerned about security, you > should encrypt such requests using SSL (you really should do this > regardless of the method used in this case). > > Most web servers include the full URL of each request in their > server logs. These logs are not always automatically treated with > the privacy accorded to the password database. This is one reason > that many prefer to send such data via POST, since entity bodies are > not typically recorded except in debugging situations. > > - Rob > ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2394703
