Passing parameters in URL
Diez B. Roggisch
deets at nospam.web.de
Wed Feb 3 17:31:39 EST 2010
Am 03.02.10 23:09, schrieb Paul Rubin:
> "Diez B. Roggisch"<deets at nospam.web.de> writes:
>> Also, your claim of it being more risky is simply nonsense. GET is a
>> tiny bit more prone to tinkering by the average user. But calling this
>> less risky is promoting security by obscurity, at most.
>
> GET parameters also tend to get recorded in the http logs of web proxies
> and web servers while POST parameters usually aren't. This was an
> annoyance in a web chat package I fooled with for a while. Because the
> package sent user messages by GET, if I ran the software the way the
> developers set it up, the contents of all the user conversations stayed
> in my server logs. I was unable to convince the chat package
> maintainers that this was a bug. I ended up doing some fairly kludgy
> hack to prevent the logging.
If somebody happens to have access to a proxy & it's logs, he can as
well log the request body.
Don't get me wrong, I don't want to propagate the use of GET as one and
only method for parameter passing. But whatever is transmitted clear
text over the wire is subject to inspection of all hops in between. Use
SSL if you bother.
Diez
More information about the Python-list
mailing list