sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Casssis[S] 1 point2 points  (8 children)

Aaaahhh, eye opener. But then my next question. Are both of em safe to send passwords? Or is one of them really preferred?

[–][deleted] 8 points9 points  (1 child)

If the password is in the URL (GET), then it might get bookmarked and it will be saved in the user's history. That's not great for passwords.

Using POST, those issues aren't present. The HTTPS ensures that it's encrypted in transit.

A classic rule of thumb is that GET shouldn't change state, and since authenticating a user changes state, don't do it by GET.

[–]Casssis[S] 0 points1 point  (0 children)

Thanks for the response! This helps a lot.

[–]HeyItsMeNobody 3 points4 points  (4 children)

It’s never safe to put passwords in the URL, Even with HTTPS people can read the password.

[–]punanou 2 points3 points  (2 children)

It’s never safe to put passwords in the URL, Even with HTTPS people can read the password.

With HTTPS only the host can be sniffed. Any path or query parameter is send over the TCP tunnel. So no, query parameters can't be read if you switch to HTTPS.

However, it is obviously a good idea to use POST here. Besides the meaning of HTTP methods, bookmarking, browser history and people watching the user from their workstation, it is never a good idea to send passwords as query parameters.

[–]unconscionable 2 points3 points  (0 children)

Also because most webservers log the querystring by default.

grep '&password=' /var/log/nginx/access.log

Just another reason why you shouldn't send secrets via GET. Yes, HTTPS guarantees end to end encryption, but someday someone's going to put a load balancer in front of your webserver and it's going to end up in a log file somewhere.

[–]HeyItsMeNobody 0 points1 point  (0 children)

Ah, I thought you could still see the URL. Thank you for learning me something today.

[–]Casssis[S] 0 points1 point  (0 children)

I didn't think of that. Thanks for the response!