On Sat, 13 Mar 2010, Chris Travers wrote: > On Sat, Mar 13, 2010 at 12:12 PM, Luke <account...@lists.tacticus.com> wrote: >> Wouldn't it be somewhat more secure, not to use get at all? >> Or, at least, very minimally? >> >> We won't be sending passwords that way any more, but still... > > Well, it doesn't entirely prevent XSRF attacks, so the benefit would > be very minimal. > > Furthermore, if we agree that data shouldn't be saved to the db on a > GET request, then the XSRF benefits are the same.
I guess I was thinking more along the lines of packet sniffing and logging. http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3 > I guess there is a question why > reports/trial_balance.html?from=2009-01-01&to=2009-12-31&ignore_yearend=none > would be any less secure than requiring a post. In that particular case, it wouldn't. What about user additions and such? What about customer contact info? Some of it may not be private, but if storing of email addresses, phone numbers, etc., or searching on them, causes an entry to be stored in an access log containing all of that info, it could potentially open up some data mining opportunities for somebody. I can't be sure that anyone would ever face a problem from any of this, but can you be sure that they won't? That aside, might there not be some compliance issues that are avoided if such data does not have the potential to be logged? Luke ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Ledger-smb-devel mailing list Ledger-smb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
