POST method and security

router

Hello!
I want to know how secure it's the POST method.
I'd like that my site will be a little secure, but i don't want to complicate too much.
Thanks! 🙂

sgoku01

It's not really secure, because people can easilly edit the sended data.
If you clean the incomming values correct, there is nothing to worry about (I think 😉).

ednark

rundown on basic basic internet security

Punchline:
always use POST if you can... never use GET for any sensative information... GET is ok to determine what part of the site you want in to... llike readarticle.php?date=01012002&author=ednark

but not for much else...

POST is not really that secure... just one level more secure as the user cannot from the browser change form fields that you did not expect them to...

only secure thing in HTTPS.... and even that won't pretect you from a serious hacker or say the gov't

you never never never are secure ever on the internet... you can only hope that you don't gain the ire of anyone skilled enough to want your server down

extra explaination

1)
when you submit a for with GET the info for the form is placed in plain site of the user in the address ?var=val&var=val

so the user can simply type something different and submit it, some fields can be changed with text boxes etc that you want the user to change but some fields are hidden... ie normally unchangable... these become changable in the address bar if you use get

the information in the address is written in plain text by the browser and sent across the internet as your request... anyone who is listening in on the route can simple read what is in your post

2)
the POST method does the same but does not show the info to the browser in the address bar no ?var=val

the infromation is still sent across the internet in the same method

however since all the information in the post still has to come from the form in some manner and the form is in html... anyone can look at your html source and see what they could do to fake a form request

either of these methods can be forged by someone with any knowledge of the innards of http communication and even your ip address can easily be spoofed...

3)
Secure http: Https.... uses the same base method to post and get and writes it in plain text to send... however when its time to send the information ... the browser itself uses public and private keys between it and the server to encrypt up the information... so its gibberish when its being sent.. so anyone spying in on you can't read it... however both your browser and the server must send across their public keys in plain unencrypted text over the internet... so a spy need only be looking for the initial key exchange, and then can decrypt and read anything sent between you two using they keys they saw... this step however requires the hacker to either be on your computer, be on the server, or be on some computer that your infromation always passes through... which excludes the hackers home computer... they would have to be in your compnay their company or the isp

4)
cookies... cookies make things slightly more secure... as the server expects your browser to have one to prove its authenticity... and the cookie will contain plain text information that only you are supposed to have... this however makes it easy for YOU to go in and mess with the info in your cookie....

5)
Cookie based Sessions.... gives a cookie with a unique id and only a unique id... which matches to some information stored on the server... if a request comes in with a session_id .... the server finds it and gives allows that infromation to be used by this guy only

you can however steal your dorm mates cookies from his browser plug it into yours and both use the same session when browsing, before the session ends on its own

diego25

cookies... cookies make things slightly more secure... as the server expects your browser to have one to prove its authenticity... and the cookie will contain plain text information that only you are supposed to have... this however makes it easy for YOU to go in and mess with the info in your cookie....

I wonder how easy it is to create a cookie, not just modify it...With IE, I tried creating a file named as my other cookies, but IE wouldn't pick it up...And for Mozilla, I couldn't find the cookies.dat file that it used to use (well, I didn't look hard enough anyway =P). So I was thinking of creating a program that has IE embedded, to take care of the HTML parsin, and then my app would do all the HTTP communication. This way, my app could specify all the cookie I want.....but I don't have time to program this right now 🙁 Anyone wanna take the challenge? 😛

Diego

router

ok, thank you very much for your explication.
Thank you ,ednark, i understand more about security.
In concluision, i think that i'm going to do nothing.
My forms will be post...i won't do more complicated the things, if someone want to heacker my site, he will do finally.... 😉
Thanks again!!
Router