On Sat, 13 Mar 2010, Chris Travers wrote: > On Sat, Mar 13, 2010 at 1:09 PM, Luke <account...@lists.tacticus.com> wrote: >> On Sat, 13 Mar 2010, Chris Travers wrote: >> >>> On Sat, Mar 13, 2010 at 12:12 PM, Luke <account...@lists.tacticus.com> >>> wrote: >>> >>> Furthermore, if we agree that data shouldn't be saved to the db on a >>> GET request, then the XSRF benefits are the same. >> >> I guess I was thinking more along the lines of packet sniffing and >> logging. >> http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3 > > If you can sniff packets, you can pull POST data out as easily. > Really, that's an argument for using SSL, which we document as > extremely highly recommended. Logging is discussed more below.
I am assuming SSL. Correct me if I am wrong, but my recollection is that the query string (I.E. get) is in the clear with SSL, whereas post data is not. Do I have a fundimental misunderstanding or massive brain fart here? Luke ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Ledger-smb-devel mailing list Ledger-smb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
