On Sat, Mar 13, 2010 at 12:12 PM, Luke <account...@lists.tacticus.com> wrote: > Wouldn't it be somewhat more secure, not to use get at all? > Or, at least, very minimally? > > We won't be sending passwords that way any more, but still... >
Well, it doesn't entirely prevent XSRF attacks, so the benefit would be very minimal. Furthermore, if we agree that data shouldn't be saved to the db on a GET request, then the XSRF benefits are the same. I guess there is a question why reports/trial_balance.html?from=2009-01-01&to=2009-12-31&ignore_yearend=none would be any less secure than requiring a post. Best Wishes, Chris Travers ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Ledger-smb-devel mailing list Ledger-smb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
