File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Logging out - POST or GET?

 
Nidhi Sar
Ranch Hand
Posts: 252
Android Eclipse IDE Ubuntu
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Would we use the Http method POST or GET for processing the "logout" button?

I thought it would be GET, since unlike "login", there isn't any sensitive data going in the request, but just wanted to confirm.

Thanks,
Nidhi
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64171
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"sensitive data" is never a criteria for deciding whether to use a POST or a GET. A POST is no more "secure" than a GET.

 
Nidhi Sar
Ranch Hand
Posts: 252
Android Eclipse IDE Ubuntu
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:"sensitive data" is never a criteria for deciding whether to use a POST or a GET. A POST is no more "secure" than a GET.



Right, I appreciate your point about the choice of Http method only not sufficient to make the request secure.
But quoting from HFSJ:
"The data you send with the GET is appended to the URL up in the browser bar, so whatever you send is exposed. Better not put a password or some other sensitive data as part of a GET!"

So going back to the original question, would a GET method suffice for a "logout" scenario?

 
Paul Clapham
Sheriff
Pie
Posts: 20161
24
MySQL Database
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And going back to Bear's answer; it contains the implicit suggestion that you should find out the criteria for when GET and POST are acceptable. Then once you have done that, apply those criteria to your question.
 
Saibabaa Pragada
Ranch Hand
Posts: 162
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Bear, Why A POST is no more "secure" than a GET. Could you let us know. I am under the impression that POST must be used for "sensitive data".
Bear Bibeault wrote:"sensitive data" is never a criteria for deciding whether to use a POST or a GET. A POST is no more "secure" than a GET.

 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64171
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Saibabaa Pragada wrote:Hi Bear, Why A POST is no more "secure" than a GET. Could you let us know.

Because regardless of whether a GET or POST is used, the information is sent in clear text and is visible to anyone. To secure data requires an SSL connection -- POST doesn't do diddley for security.
 
Saibabaa Pragada
Ranch Hand
Posts: 162
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Paul, Based on your comments, What I understand is we can use either POST or GET. If this is not correct, It would be helpful if you can advice the right answer with explanation.
Paul Clapham wrote:And going back to Bear's answer; it contains the implicit suggestion that you should find out the criteria for when GET and POST are acceptable. Then once you have done that, apply those criteria to your question.
 
Girish Bal
Ranch Hand
Posts: 77
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
@Saibaba - GET or POST - which one to be used depends on the amount of data that will be passed to the server also. Appending a lot of data as query string will not be a good idea and hence POST is the best method to use. That's why POST is recommended for form submissions.

For a logout scenario also, if you dont have much data to send, you can use GET. This has nothing to do with security.
 
Gaurav Sagar
Ranch Hand
Posts: 97
Java MySQL Database
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Nidhi Sar wrote:
Would we use the Http method POST or GET for processing the "logout" button?

I thought it would be GET, since unlike "login", there isn't any sensitive data going in the request, but just wanted to confirm.

Thanks,
Nidhi


Now since unlike login, your aren't sending out any sensitive data with the logout. There is now no issue of using the POST, GET would solve the purpose. Post is used to process forms and take the data as payload.

 
Nidhi Sar
Ranch Hand
Posts: 252
Android Eclipse IDE Ubuntu
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks everyone! It seems clear now that GET or POST either can be used for the logout scenario.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic