GET vs.POST security when using Ajax

I used ajax to send data. I managed to implement it using two different approaches:

1) Using the "POST" method and sending data in the send () method, setting the requestheader.

var xmlHttp = getXMLHttpRequest();
var url="login.do";
xmlHttp.open("POST", url, true);
xmlHttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlHttp.onreadystatechange = function() {
        if(xmlHttp.readyState == 4) {
            // Done. Do nothing.
        }
    }
xmlHttp.send("userName=xyz&password=abc");

      

2) Using the "POST" method and adding the parameter values ​​to the URL like:

var xmlHttp = getXMLHttpRequest();
var url="login.do?userName=xyz&password=abc";
xmlHttp.open("POST", url, true);
xmlHttp.onreadystatechange = function() {
        if(xmlHttp.readyState == 4) {
            // Done. Do nothing.
        }
    }
xmlHttp.send();

      

Since this is an ajax call, the URL will not be displayed in the browser window, so I would like to know which approach is better and why? thanks in advance

+3


source to share


2 answers


Here is the W3 recommendation for you.

This pretty much tells you exactly what you need to do.

Authors of services that use the HTTP protocol MUST NOT use GET-based forms to submit sensitive data, as this will result in that data being encoded in the Request-URI. Many existing servers, proxies and user agents will log the request URI in some place where it can be seen by third parties. Servers can use POST-based form submission instead.

Even though this is a post, its inner meaning is to keep the url clean.




Apart from these two ways, if I were you, I prefer clean codes (imagine 10 query parameters).

var data = new FormData();
data.append('userName', 'xyz');
data.append('password', 'abc');


var xmlHttp = getXMLHttpRequest();
var url="login.do";
xmlHttp.open("POST", url, true);
xmlHttp.onreadystatechange = function() {
        if(xmlHttp.readyState == 4) {
            // Done. Do nothing.
        }
    }
xmlHttp.send(data);

      

+1


source


Putting data into the request parameters of a URL does not make it a GET request. A POST request is a POST request; the difference is in sending data to the url or sending it as a POST body. There is no fundamental difference between both in this case, the data is equally (not) visible to anyone who needs to watch.

The only controversial security difference is that the URL is likely to be registered by the server and / or proxy, while the body data is usually not. But then again, you are already sending data to a server that you probably trust, so even that doesn't really matter. And the server could register the body if they wanted to.



Semantically, I was posting data in the body of the POST, but that's not for security reasons.

+1


source







All Articles