I have come across many websites which either use doget() or dopost() method to handle the username and password fields entered into the login form but as it seems to me when we use doget() we have to ourselves encrypt the username and password fields as they are appended to the URL which is not so in dopost()(work is little less it seems..phewww).
But, I was kinda worried as to whether using dopost() is safe and secure or not as username and password fields are highly sensitive data.
Can anybody please tell me the merits or demerits of using either of the two for use in a login form ?
POST has a higher overhead (marginally, if we’re honest, but it all adds up), but it doesn’t become part of the URL so can’t be seen by, say, a casual observer over the user’s shoulder – whereas GET can. Both, however, can be equally easily intercepted over the network, so are insecure if you don’t use any encryption… GET is just worse, because it can be read by anyone without any deliberate attempt to intercept the password
If you use GET, the user can easily modify the input just by changing the URL, this can be a good or bad thing, you have to decide on a case-by-case basis. Post cannot be as easily modified by the user.
The trick is to encrypt any passwords or sensitive data before you send it. That way there’s little to no risk if the packet is intercepted and, since you’ve encrypted the string, you don’t mind if someone reads it over the user’s shoulder… you can therefore use GET and save yourself a little bit of overhead at the expense of longer, less pretty URLs. At this stage, neither is really more secure than the other.
In an ideal security world, you’d use POST with SSL so that nothing is in the URL to be very easily intercepted, and nothing that is intercepted can be used easily.