POST is not secure. A simple view source will reveal your hidden field
values. Session variables might be your answer.

-----Original Message-----
From: Bryan Ponnwitz [mailto:bponnwitbtboces.org]
Sent: Wednesday, July 10, 2002 3:04 PM
To: webappsecsecurityfocus.com
Subject: Re: Best Practices for passing data via HTTP

Steven:
     I've found that the best way to pass data is using POST and hidden
form data. If you use GET, the user is able to see the data that you
application is passing, which is a security problem, and you're limited
to so many bytes (I think it's 1024 bytes, but don't quote me on that
one). I've written relatively large web apps before and experimented
with using GET, POST and even cookies and I find that POST is the most
flexible and secure.

Bryan Ponnwitz
Webmaster - Broome-Tioga Boces
bponnwitbtboces.org
(607) 763-3609

>>> "Steven Fling" <SFLINGoppenheimerfunds.com> 07/10/02 02:36PM >>>
Our application communicates across various application server
environments via HTTP/HTTPS requests (versus RMI, etc.) and needs to
pass data/parameters back and forth. Naturally we use SSL to encrypt
the request/response.
 
I wanted to see if there were any Best Practices established to transfer
data in this fashion. POST vs. GET method, querystring vs. hidden form
variable, etc.
 
Any insight would be appreciated!
 
____________________________________
Steve Fling
Managing Architect - Web Development
OppenheimerFunds, Inc.
sflingoppenheimerfunds.com
Office: 303.768.3200
FAX: 303.768.1096
http://www.oppenheimerfunds.com
____________________________________

This electronic mail transmission may contain confidential information
and is intended only for the person(s) named. Any use, copying or
disclosure by any other person is strictly prohibited. If you have
received this transmission in error, please notify the sender via
e-mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]