4

Genaral practice is when you login, or do something else that requires your username and password, you send it in the body of post request. Also for added security https should be used.

In get request these parameters are sent as a part of URL. But in https both body and headers are encrypted, as i understand.

So in theory, whether you use https post or get for sending, your data are safe..., in one case attacker will have to decript your header and in other your body.

So my question is, if this is all true, how is post more secure?

sanepete
  • 979
  • 9
  • 28
MegaManX
  • 8,766
  • 12
  • 51
  • 83
  • Generally POST is used to send data or creating (in rest). In the Login process, this action is done thinking in the way to create a session. I don't think that using GET is wrong or 'more' insecure. Also, in many systems the username/password are sent in the headers encoded. But, if you are passing in several request the username and password to retrieve data, i would think that some is wrong in your api. – Arnaldo Ignacio Gaspar Véjar Nov 05 '13 at 17:28
  • Link to variety of in depth answers http://security.stackexchange.com/questions/12531/ssl-with-get-and-post – MegaManX Nov 09 '13 at 09:36

5 Answers5

8

Aside what others have already written there is an additional point, that in webservers logsfiles most often the entire url is being logged, so anyone with access to the logfiles can read the login credentials. Furthermore, if there is some traffic analysis tool on the page (say i.e. google analytics or whatever) then the calling url is being reported there as well -> also those people can read the login credentials (and they may even apears in the traffic analysis).

Frank
  • 111
  • 1
4

GET is recorded at browser's history. Someone might look in your surf history and see your password.

ilhan
  • 8,700
  • 35
  • 117
  • 201
1

Same reason you display **** in a password entry field...

If you send the credentials via GET, anyone looking over the shoulder of the user could see the password (or perhaps a hash of the password, depending on exactly how you perform your logon) in the URL bar.

Eric J.
  • 147,927
  • 63
  • 340
  • 553
1

The main point of putting something in a GET request is the ability to bookmark the result. This is great for search results, not so much for a login request. Sharing that URL would then theoretically allow anyone to login using your username and password.

zinzendorf
  • 120
  • 6
0

It's for privacy concerns. As others have mentioned, GET request can easily be tracked such that the URL string can be read by potentially malicious parties.

A URL such as:
www.facebook.com/login?username=ironman231&password=veryStrongPassword

provides a good example; the username and password is directly visible within the URL.

Edward Passagi
  • 61
  • 6