0

Is it ok to pass passwords like this or should the method be POST or does it not matter?

xmlhttp.open("GET","pas123",true);
xmlhttp.send();

Additional info: I'm building this using a local virtual web server so I don't think I'll have https until I put upfront some money on a real web server :-)

EDIT: According to Gumo's link encodeURIComponent should be used. Should I do xmlhttp.send(encodeURIComponent(password)) or would this cause errors in the password matching?

Celeritas
  • 14,489
  • 36
  • 113
  • 194
  • possible duplicate of [Is either GET or POST more secure than the other?](http://stackoverflow.com/questions/198462/is-either-get-or-post-more-secure-than-the-other) – Gumbo Mar 14 '13 at 20:14

3 Answers3

1

Post them via HTTPS than you don't need to matter about that ;)

But note that you need that the page which sends that data must be accessed with https too due the same origin policy.

About your money limentation you can use self signed certificates or you can use a certificate from https://startssl.com/ where you can get certificates for free.

rekire
  • 47,260
  • 30
  • 167
  • 264
0

All HTTP requests are sent as text, so the particulars of whether it's a GET or POST or PUT... don't really matter. What matters for security in transmission is that you send it via SSL (and handle it safely on the other end, of course).

You can use a self-signed cert until something better is made available. It will be a special hell later if you don't design with https in mind now :)

Fiarr
  • 858
  • 5
  • 16
0

It shouldn't matter, the main reason for not using GET on conventional web forms is the fact that the details are visible in the address bar, which isn't an issue when using AJAX. All HTTP requests (GET/POST/ect) are sent in plain text so could be obtained using network tracing software (e.g. Wireshark) to protect against this you will need to use HTTPS

Rob Farr
  • 853
  • 1
  • 9
  • 17