Re: POST vs. GET

• To: "David W. Morris" <dwm@shell.portal.com>
• Subject: Re: POST vs. GET
• From: "Robert S. Muhlestein" <robertm@teleport.com>
• Date: Tue, 9 Jan 1996 09:08:01 -0800 (PST)
• cc: Antonio Vasconcelos <vasco@bvl.pt>, www-security@ns2.rutgers.edu
• In-Reply-To: <Pine.SUN.3.90.960109003155.27567B-100000@jobe.shell.portal.com>

On Tue, 9 Jan 1996, David W. Morris wrote:

> > Ok, so my question is somewhat basic, but I couldn't find an answer by myself.
> > 
> > >From a security point of view, is there any reason to use METHOD=GET instead
> > of METHOD=POST when submiting forms ?
> > 
> > I'm only asking this because a few days ago I come into a situation where I
> > had to use POST. I were happy until then with GET, but GET with TEXTAREA
> > fields when going through a TIS firewall looks to be a "no-no".
> > I don't know why but everything after the first &0D looks to be truncated
> > somewhere in the way to the server. This includes the other lines that may
> > exist in the TEXTAREA and _ANY_ other field that may appear after the TEXTAREA.

This may not have anything to do with the firewall at all.  How 
would it, actually?  It could be associated with max size allowed for 
QUERY_STRING (the env var used with method=GET). I believe this is why 
method=POST is generally prefered for large amounts of data.  Sounds like 
your data is simply getting truncated after QUERY_STRING maxes out.
 
> The only sensitive data implications I'm aware of are from the fact
> that the GET URI encoded form data is generally logged in the
> various server log files and also often appears in the URL/URI
> window of the browser. I've used the term 'sensitive data' because
> one can hardly consider a switch to POST 'secure' but data will be
> less visable to unexpected observers.

True.  Don't forget that QUERY_STRING is visible to anyone with shell
access to the web server during the run of the CGI.  (Try a "ps -auxewwwww
|fgrep QUERY_STRING" on any web server running frequent CGIs to see what I
mean.) I believe this is really the reason POST is prefered.  STDIN is
much harder to get at than the environment of the CGI.
 
> Secondly, there are apparently some browsers and also firewall 
> proxies or whatever which significantly limit the length of
> the URI.  Base  on STML limits associated with HTML are are
> element attribute value length limits. 

Ditto.

Robert Muhlestein
Teleport Creative Services
CGI Guy
cgi@teleport.com

• Re: POST vs. GET
• From: "David W. Morris" <dwm@shell.portal.com>

• Previous: Re: POST vs. GET
• Next: Re: POST vs. GET
• Index(es):
  • Index
  • Thread