Till Maas wrote:
On Tue November 25 2008, Mike McGrath wrote:
> GET vs POST is an interesting discussion. From a security point of view
> though the only advantage is in how we log and that GET requests stay in
> the logs.
There may be also some other issues, e.g. when GET requests are used to submit
confidential data, because then they may also be stored in the browsers
history. But my concern was not about security issues.
> Obviously though an authenticated web crawler could do accidently do some
> serious damage.
It would not be necessarily be serious damage, but the browser's session
management could show annoying beheaviour, because then some requests could
be made everytime a user restores are browser session.
For these issues we could either concentrate on fixing or mitigating
them. Fixing them would require the laborious changes I talked about
earlier to change the way the framework already processes the POST and
GET parameters before they get to us. Mitigation is easier -- we should
make it part of our best practices to never have links or GET driven
forms that make state changes when designing the UI and templates.
-Toshio