Hi Jörn, You know I always agree with you. POST is better to prevent logging. The URL with the password should not appear in the address bar even for the second before the browser is redirected, and GET requests are cached everywhere if SSL is not used. So POST is better, just not the cure-all that Bob suggested.
solprovider On 5/3/07, Jörn Nettingsmeier <[EMAIL PROTECTED]> wrote:
[EMAIL PROTECTED] wrote: > Hi Bob, > > I agree using POSTs rather than GETs is better practice for most > forms, but there is little effect on security. in general, i agree. there is no subsitute for transport layer encryption. but it still makes sense not to GET passwords. to me, querystrings are part of the metadata and POST bodies are part of the data. not reading the former is nearly impossible when you're a man in the middle, reading (and logging!) the latter requires effort and bad intent. take proxies or load balancers. your GET data *will* be cached and logged in odd places out there. i don't agree that server-side logging is not an issue either: granted, in an ideal world, all logs are only readable by one user and properly chmodded. on my planet, that's simply not the case. a third issue is browser caching: of course, most browsers cache form data nowadays. but they do protect passwords if the user wants them to. if it's in the "history" or favourites list, every attacker can harvest them locally even if the user has set a master passwort for his/her form cache. plus the goal is to make it hard for people glancing over the user's shoulder. what's the point of annoying the user with a row of asterisks in the login form (which leads to typos) when we display the data in cleartext in the addressbar afterwards? Jörn Nettingsmeier
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
