Hello,

I've found that search engines will tend to archive long queries to a website script
even if it is over ssl. I guess its a matter of what are you passing/how sensitive is it.

Example: http://www.google.com/search?hl=en&lr=&ie=ISO-8859-1&q=allinurl%3A+https%3A%2F%2F+.cgi%3Fusername%3D

(notice https)

You'll notice a few things like account usernames and maybe even passwords
are saved in an archive. Using post will prevent this from being archived.

Just some thoughts nothing extensive. Also keep in mind using GET shows the user
the data and could lead to easier manipulation of fields then in post. Sure
they could adjust form fields but alot of "script kids" use search engines to pick
at scripts using quick get requests to probe fields. Most want a quick shell
and probably wouldn't bother probing all fields. I'm not sure if this is the answer
your looking for , but I hope it helps aid you.

- zenocgisecurity.com

>
> Our application communicates across various application server environments via HTTP/HTTPS requests (versus RMI, etc.) and needs to pass data/parameters back and forth. Naturally we use SSL to encrypt the request/response.
>
> I wanted to see if there were any Best Practices established to transfer data in this fashion. POST vs. GET method, querystring vs. hidden form variable, etc.
>
> Any insight would be appreciated!
>
> ____________________________________
> Steve Fling
> Managing Architect - Web Development
> OppenheimerFunds, Inc.
> sflingoppenheimerfunds.com
> Office: 303.768.3200
> FAX: 303.768.1096
> http://www.oppenheimerfunds.com
> ____________________________________
>
>
> This electronic mail transmission may contain confidential information and is intended only for the person(s) named. Any use, copying or disclosure by any other person is strictly prohibited. If you have received this transmission in error, please notify the sender via e-mail.
>
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]