• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Logging out - POST or GET?

 
Ranch Hand
Posts: 252
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Would we use the Http method POST or GET for processing the "logout" button?

I thought it would be GET, since unlike "login", there isn't any sensitive data going in the request, but just wanted to confirm.

Thanks,
Nidhi
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
"sensitive data" is never a criteria for deciding whether to use a POST or a GET. A POST is no more "secure" than a GET.

 
Nidhi Sar
Ranch Hand
Posts: 252
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:"sensitive data" is never a criteria for deciding whether to use a POST or a GET. A POST is no more "secure" than a GET.



Right, I appreciate your point about the choice of Http method only not sufficient to make the request secure.
But quoting from HFSJ:
"The data you send with the GET is appended to the URL up in the browser bar, so whatever you send is exposed. Better not put a password or some other sensitive data as part of a GET!"

So going back to the original question, would a GET method suffice for a "logout" scenario?

 
Marshal
Posts: 28193
95
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
And going back to Bear's answer; it contains the implicit suggestion that you should find out the criteria for when GET and POST are acceptable. Then once you have done that, apply those criteria to your question.
 
Ranch Hand
Posts: 162
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Bear, Why A POST is no more "secure" than a GET. Could you let us know. I am under the impression that POST must be used for "sensitive data".

Bear Bibeault wrote:"sensitive data" is never a criteria for deciding whether to use a POST or a GET. A POST is no more "secure" than a GET.

 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Saibabaa Pragada wrote:Hi Bear, Why A POST is no more "secure" than a GET. Could you let us know.


Because regardless of whether a GET or POST is used, the information is sent in clear text and is visible to anyone. To secure data requires an SSL connection -- POST doesn't do diddley for security.
 
Saibabaa Pragada
Ranch Hand
Posts: 162
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Paul, Based on your comments, What I understand is we can use either POST or GET. If this is not correct, It would be helpful if you can advice the right answer with explanation.

Paul Clapham wrote:And going back to Bear's answer; it contains the implicit suggestion that you should find out the criteria for when GET and POST are acceptable. Then once you have done that, apply those criteria to your question.

 
Ranch Hand
Posts: 79
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
@Saibaba - GET or POST - which one to be used depends on the amount of data that will be passed to the server also. Appending a lot of data as query string will not be a good idea and hence POST is the best method to use. That's why POST is recommended for form submissions.

For a logout scenario also, if you dont have much data to send, you can use GET. This has nothing to do with security.
 
Ranch Hand
Posts: 97
MySQL Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Nidhi Sar wrote:
Would we use the Http method POST or GET for processing the "logout" button?

I thought it would be GET, since unlike "login", there isn't any sensitive data going in the request, but just wanted to confirm.

Thanks,
Nidhi



Now since unlike login, your aren't sending out any sensitive data with the logout. There is now no issue of using the POST, GET would solve the purpose. Post is used to process forms and take the data as payload.

 
Nidhi Sar
Ranch Hand
Posts: 252
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks everyone! It seems clear now that GET or POST either can be used for the logout scenario.
 
reply
    Bookmark Topic Watch Topic
  • New Topic