Bear Bibeault wrote:"sensitive data" is never a criteria for deciding whether to use a POST or a GET. A POST is no more "secure" than a GET.
Right, I appreciate your point about the choice of Http method only not sufficient to make the request secure.
But quoting from HFSJ:
"The data you send with the GET is appended to the URL up in the browser bar, so whatever you send is exposed. Better not put a password or some other sensitive data as part of a GET!"
So going back to the original question, would a GET method suffice for a "logout" scenario?
And going back to Bear's answer; it contains the implicit suggestion that you should find out the criteria for when GET and POST are acceptable. Then once you have done that, apply those criteria to your question.
Saibabaa Pragada wrote:Hi Bear, Why A POST is no more "secure" than a GET. Could you let us know.
Because regardless of whether a GET or POST is used, the information is sent in clear text and is visible to anyone. To secure data requires an SSL connection -- POST doesn't do diddley for security.
Joined: Oct 24, 2010
Paul, Based on your comments, What I understand is we can use either POST or GET. If this is not correct, It would be helpful if you can advice the right answer with explanation.
Paul Clapham wrote:And going back to Bear's answer; it contains the implicit suggestion that you should find out the criteria for when GET and POST are acceptable. Then once you have done that, apply those criteria to your question.
@Saibaba - GET or POST - which one to be used depends on the amount of data that will be passed to the server also. Appending a lot of data as query string will not be a good idea and hence POST is the best method to use. That's why POST is recommended for form submissions.
For a logout scenario also, if you dont have much data to send, you can use GET. This has nothing to do with security.
SCJA 1.0 (86%)
SCJP 1.4 (91%)
Nidhi Sar wrote:
Would we use the Http method POST or GET for processing the "logout" button?
I thought it would be GET, since unlike "login", there isn't any sensitive data going in the request, but just wanted to confirm.
Now since unlike login, your aren't sending out any sensitive data with the logout. There is now no issue of using the POST, GET would solve the purpose. Post is used to process forms and take the data as payload.