OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Kalyan Varma (kalyan_at_yahoo-inc.com)
Date: Wed Jul 10 2002 - 14:53:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Just because POST is not visible to the naked eye, it does not make it any
    secure. It is infact as insecure as GET. A cracker can anytime spoof
    these values.

    thanks,

    - kalyan

    On Wed, 10 Jul 2002, Bryan Ponnwitz wrote:

    > Steven:
    > I've found that the best way to pass data is using POST and hidden
    > form data. If you use GET, the user is able to see the data that you
    > application is passing, which is a security problem, and you're limited
    > to so many bytes (I think it's 1024 bytes, but don't quote me on that
    > one). I've written relatively large web apps before and experimented
    > with using GET, POST and even cookies and I find that POST is the most
    > flexible and secure.
    >
    >
    > Bryan Ponnwitz
    > Webmaster - Broome-Tioga Boces
    > bponnwitbtboces.org
    > (607) 763-3609
    >
    > >>> "Steven Fling" <SFLINGoppenheimerfunds.com> 07/10/02 02:36PM >>>
    > Our application communicates across various application server
    > environments via HTTP/HTTPS requests (versus RMI, etc.) and needs to
    > pass data/parameters back and forth. Naturally we use SSL to encrypt
    > the request/response.
    >
    > I wanted to see if there were any Best Practices established to
    > transfer data in this fashion. POST vs. GET method, querystring vs.
    > hidden form variable, etc.
    >
    > Any insight would be appreciated!
    >
    > ____________________________________
    > Steve Fling
    > Managing Architect - Web Development
    > OppenheimerFunds, Inc.
    > sflingoppenheimerfunds.com
    > Office: 303.768.3200
    > FAX: 303.768.1096
    > http://www.oppenheimerfunds.com
    > ____________________________________
    >
    >
    > This electronic mail transmission may contain confidential information
    > and is intended only for the person(s) named. Any use, copying or
    > disclosure by any other person is strictly prohibited. If you have
    > received this transmission in error, please notify the sender via
    > e-mail.
    >
    >
    > 

    -- 

    ----------------------------------------
Kalyan Varma Alluri <kalyanexocore.com>
http://kalyan.n3.net || PGP : 3795C2A4
---------------------------------------