3

I used ajax to send the data. I was successful in implementing it using two different approaches:

1) Using method 'POST' and sending data in send() method by setting requestheader.

var xmlHttp = getXMLHttpRequest();
var url="login.do";
xmlHttp.open("POST", url, true);
xmlHttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlHttp.onreadystatechange = function() {
        if(xmlHttp.readyState == 4) {
            // Done. Do nothing.
        }
    }
xmlHttp.send("userName=xyz&password=abc");

2) Using method "POST" and appending parameter values in the URL as:

var xmlHttp = getXMLHttpRequest();
var url="login.do?userName=xyz&password=abc";
xmlHttp.open("POST", url, true);
xmlHttp.onreadystatechange = function() {
        if(xmlHttp.readyState == 4) {
            // Done. Do nothing.
        }
    }
xmlHttp.send();

Since this is an ajax call, URL will not be visible in the browser window, so I wanted to know which approach is better and why? Thanks in advance

Vartika Gupta
  • 33
  • 4
  • 3
    IMO if you are doing a `POST`, you should pass data in request body and not the URL due to various reasons like security, ease in passing complex data etc. – abhishekkannojia Jun 30 '17 at 09:51
  • Well, think about it, what is more secure: passing the password through the URL which is visible is someone looks at your monitor or passing the password through a "hidden" transfer that is not visible on the screen? – XCS Jun 30 '17 at 10:06
  • 1
    @Cristy It's an AJAX request, it doesn't appear in the address bar. – deceze Jun 30 '17 at 10:07
  • Don't just think client side security - most server/proxy/load balancer etc logs will log the url, including the querystring. Depends what you want to protect against. – James Thorpe Jun 30 '17 at 10:12
  • @JamesThorpe You are right, in some cases even your ISP might log the query string. Also, read this: https://stackoverflow.com/questions/323200/is-an-https-query-string-secure – XCS Jun 30 '17 at 10:13

2 Answers2

1

Putting data into the URL's query parameters doesn't make it a GET request. A POST request is a POST request; the difference is between sending data in the URL or sending it as POST body. There's no fundamental difference between both in this case, the data is equally (non) visible for anyone who cares to look.

The only arguable difference in security is that the URL will likely be logged by the server and/or proxies, while body data usually isn't. But then again, you're already sending the data to the server you presumably trust, so even that doesn't make much of a difference. And the server(s) could be logging the body as well if they wanted to.

Semantically I'd send the data in the POST body, but that's not because of security.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • *and the server(s) could be logging the body as well if they wanted to.* Is this line valid only for http ?? or also for https too ? They can log but crypted data ? I don't know. – Suresh Atta Jun 30 '17 at 10:22
  • 1
    The server that you're sending it to, of course, it *has* to be able to read the request. Any proxies inbetween: no, they'll just see encrypted garbage go by. – deceze Jun 30 '17 at 10:28
  • Ahh that makes sense and safe ;). Thank you. – Suresh Atta Jun 30 '17 at 10:30
1

Here is W3 recommendation for you.

That pretty much says what exactly you need to do.

Authors of services which use the HTTP protocol SHOULD NOT use GET based forms for the submission of sensitive data, because this will cause this data to be encoded in the Request-URI. Many existing servers, proxies, and user agents will log the request URI in some place where it might be visible to third parties. Servers can use POST-based form submission instead.

Though it is saying post, internal meaning of it is to keep the URL clean.

Apart from the given two ways, if I were you, I prefer clean codes (imagine 10 query param).

var data = new FormData();
data.append('userName', 'xyz');
data.append('password', 'abc');


var xmlHttp = getXMLHttpRequest();
var url="login.do";
xmlHttp.open("POST", url, true);
xmlHttp.onreadystatechange = function() {
        if(xmlHttp.readyState == 4) {
            // Done. Do nothing.
        }
    }
xmlHttp.send(data);
Suresh Atta
  • 120,458
  • 37
  • 198
  • 307