permaculture playing cards*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Logging out - POST or GET? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Logging out - POST or GET?" Watch "Logging out - POST or GET?" New topic
Author

Logging out - POST or GET?

Nidhi Sar
Ranch Hand

Joined: Oct 19, 2009
Posts: 252


Would we use the Http method POST or GET for processing the "logout" button?

I thought it would be GET, since unlike "login", there isn't any sensitive data going in the request, but just wanted to confirm.

Thanks,
Nidhi


"A problem well stated is a problem half solved.” - Charles F. Kettering
SCJP 6, OCPJWCD
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60766
    
  65

"sensitive data" is never a criteria for deciding whether to use a POST or a GET. A POST is no more "secure" than a GET.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Nidhi Sar
Ranch Hand

Joined: Oct 19, 2009
Posts: 252

Bear Bibeault wrote:"sensitive data" is never a criteria for deciding whether to use a POST or a GET. A POST is no more "secure" than a GET.



Right, I appreciate your point about the choice of Http method only not sufficient to make the request secure.
But quoting from HFSJ:
"The data you send with the GET is appended to the URL up in the browser bar, so whatever you send is exposed. Better not put a password or some other sensitive data as part of a GET!"

So going back to the original question, would a GET method suffice for a "logout" scenario?

Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18541
    
    8

And going back to Bear's answer; it contains the implicit suggestion that you should find out the criteria for when GET and POST are acceptable. Then once you have done that, apply those criteria to your question.
Saibabaa Pragada
Ranch Hand

Joined: Oct 24, 2010
Posts: 162
Hi Bear, Why A POST is no more "secure" than a GET. Could you let us know. I am under the impression that POST must be used for "sensitive data".
Bear Bibeault wrote:"sensitive data" is never a criteria for deciding whether to use a POST or a GET. A POST is no more "secure" than a GET.

Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60766
    
  65

Saibabaa Pragada wrote:Hi Bear, Why A POST is no more "secure" than a GET. Could you let us know.

Because regardless of whether a GET or POST is used, the information is sent in clear text and is visible to anyone. To secure data requires an SSL connection -- POST doesn't do diddley for security.
Saibabaa Pragada
Ranch Hand

Joined: Oct 24, 2010
Posts: 162
Paul, Based on your comments, What I understand is we can use either POST or GET. If this is not correct, It would be helpful if you can advice the right answer with explanation.
Paul Clapham wrote:And going back to Bear's answer; it contains the implicit suggestion that you should find out the criteria for when GET and POST are acceptable. Then once you have done that, apply those criteria to your question.
Girish Bal
Ranch Hand

Joined: Jun 23, 2005
Posts: 52
@Saibaba - GET or POST - which one to be used depends on the amount of data that will be passed to the server also. Appending a lot of data as query string will not be a good idea and hence POST is the best method to use. That's why POST is recommended for form submissions.

For a logout scenario also, if you dont have much data to send, you can use GET. This has nothing to do with security.


Girish B
SCJA 1.0 (86%)
SCJP 1.4 (91%)
OCPJWCD (86%)
Gaurav Sagar
Ranch Hand

Joined: Sep 08, 2010
Posts: 97

Nidhi Sar wrote:
Would we use the Http method POST or GET for processing the "logout" button?

I thought it would be GET, since unlike "login", there isn't any sensitive data going in the request, but just wanted to confirm.

Thanks,
Nidhi


Now since unlike login, your aren't sending out any sensitive data with the logout. There is now no issue of using the POST, GET would solve the purpose. Post is used to process forms and take the data as payload.


SCJP 1.6(91%), SCWCD 1.5(100%), SCBCD in progress
Nidhi Sar
Ranch Hand

Joined: Oct 19, 2009
Posts: 252

Thanks everyone! It seems clear now that GET or POST either can be used for the logout scenario.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Logging out - POST or GET?
 
Similar Threads
Issue with large request data using AJAX
GET or POST which one is fast ?
Why no Weblogic
Converting a String to Boolean
when clicks back generates error