I recall reading sometime ago that all GET requests from a webbrowser are logged. Is this correct? Where are these logs located?
If so are there any workarounds to prevent logging your webservice username and passwords?
I understand I can change my webservice to accept POSTS (which if I recall correctly the article said were not logged) but the issue I have with this is currently the webservice accepts GETS and returns JSON and POSTS return XML. This seems like a handy feature and something I would like to keep.
What are best practices regarding such scenarios?
The particular issues comes with GET requests to authenticate, where the user credentials are sent in plain text as query parameters to the URL. Most web servers will log the verb and the URL for all requests, thus when the credentials are in part of the URL, they will show in the web server log.
POST requests on the other hand, usually send the data in the body of the request, so it will not show in the web server logs, as standard logging configuration does not log the payload of the requests. That said, even if you do switch to using POST, an administrator still can configure the hosting web server to record the payload of each request.
And to answer your specific question – no, there is no way to prevent the user credentials from being logged by the web server, if they are part of the request URL. However, you could (and should) change your code to at least not send the credentials in plain text, but at least hash them with a hash salt generated by your web service at the beginning of the current session (and put in a cookie for example). Since the cookies are not logged on the server, and the hash salt changes between sessions, there is no way for someone tonextract the credentials from the log file only.
On a side note, you should also change your service to decide the response format based on the accepted content type specified in the request, instead of the request verb.