Chiming in...

> -----Original Message-----
> From: Blake Frantz [mailto:blakemc.net]
> Sent: Wednesday, July 10, 2002 2:09 PM
> To: 'Anna Karuba'; 'Bryan Ponnwitz'; webappsecsecurityfocus.com
> Subject: RE: Best Practices for passing data via HTTP
>
> I don't think anyone is suggesting that POST is secure by itself, but
> perhaps *more* secure than GET. Additionally, I don't think Bryan was
> talking about using hidden form values in the context of:

Neither is more secure than the other. One is merely invisible to the
human-eye. The other is not. Neither of which matters when discussing
security for a web application. Requests can and will be intercepted, and
at that point, the sniffer doesn't care if it's a POST or a GET method.
With respect to jsp's and servlets, it's often common practice to wrap the
GET method with the POST method or visa-versa, so processing wise they
become one and the same to the server side code. There's no reason that a
network sniffer can't do the same thing.

> -----Original Message-----
> From: Anna Karuba [mailto:akarubaapexdigitalsystems.com]
> Sent: Wednesday, July 10, 2002 2:44 PM
> To: Bryan Ponnwitz; webappsecsecurityfocus.com
> Subject: RE: Best Practices for passing data via HTTP
>
>
> POST is not secure. A simple view source will reveal your hidden field
> values. Session variables might be your answer.
>
> -----Original Message-----
> From: Bryan Ponnwitz [mailto:bponnwitbtboces.org]
> Sent: Wednesday, July 10, 2002 3:04 PM
> To: webappsecsecurityfocus.com
> Subject: Re: Best Practices for passing data via HTTP
>
>
> Steven:
> I've found that the best way to pass data is using POST and hidden
> form data. If you use GET, the user is able to see the data that you
> application is passing, which is a security problem, and you're limited
> to so many bytes (I think it's 1024 bytes, but don't quote me on that
> one). I've written relatively large web apps before and experimented
> with using GET, POST and even cookies and I find that POST is the most
> flexible and secure.
>
>
> Bryan Ponnwitz
> Webmaster - Broome-Tioga Boces
> bponnwitbtboces.org
> (607) 763-3609
>
> >>> "Steven Fling" <SFLINGoppenheimerfunds.com> 07/10/02 02:36PM >>>
> Our application communicates across various application server
> environments via HTTP/HTTPS requests (versus RMI, etc.) and needs to
> pass data/parameters back and forth. Naturally we use SSL to encrypt
> the request/response.
>
> I wanted to see if there were any Best Practices established to transfer
> data in this fashion. POST vs. GET method, querystring vs. hidden form
> variable, etc.
>
> Any insight would be appreciated!
>
> ____________________________________
> Steve Fling
> Managing Architect - Web Development
> OppenheimerFunds, Inc.
> sflingoppenheimerfunds.com
> Office: 303.768.3200
> FAX: 303.768.1096
> http://www.oppenheimerfunds.com
> ____________________________________
>
>
> This electronic mail transmission may contain confidential information
> and is intended only for the person(s) named. Any use, copying or
> disclosure by any other person is strictly prohibited. If you have
> received this transmission in error, please notify the sender via
> e-mail.
>
>
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]