80:483 - GET and POST security

Lennart Sorensen lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Thu Oct 4 13:46:09 UTC 2007


On Wed, Oct 03, 2007 at 08:26:35PM -0400, Zbigniew Koziol wrote:
> Some time ago I argued that there is no difference between security of
> GET and POST methods when using http.
> 
> How however about when https protocol is used?
> 
> Well, I know, I could find the answer myself. But this way is
> hopefully quicker and talking with others on this list is always a
> pleasure to me.
> 
> URL address posted by GET method is volnurable to interception by
> monkey in the middle, in case of both, http and https requests. So,
> for instance, sending GET https requests with session id within URL
> seems risky. How about if session id was send through POST method?
> Thats not clear to me - will it be encrypted or not?

Yes with https using post does encrypt the data, while using get would
not.

--
Len SOrensen
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list