Session.signOn authentication - why GET instead of POST?
2 views
Skip to first unread message
Akinwale Ariwodola
Apr 11, 2008, 5:09:57 AM4/11/08
to wimas3
Hello all,
First of all, I'd like to say that wimas is pretty neat. And it
would've been nicer if I knew about it earlier instead of having to
write my own code to interface with WebAIM.
I'd like to know the reasoning behind using a GET request for
authentication instead of POST. With GET, the pwd field is included in
the URL, which doesn't in any way seem secure to me. Is there any
particular reasoning behind this?
Thanks.
First of all, I'd like to say that wimas is pretty neat. And it
would've been nicer if I knew about it earlier instead of having to
write my own code to interface with WebAIM.
I'd like to know the reasoning behind using a GET request for
authentication instead of POST. With GET, the pwd field is included in
the URL, which doesn't in any way seem secure to me. Is there any
particular reasoning behind this?
Thanks.
Shawn Carnell
Apr 11, 2008, 7:57:34 AM4/11/08
to wim...@googlegroups.com, Akinwale Ariwodola
clientLogin, which is the auth request, is via POST over https. (See line 115 of ClientLogin.as.) Did you spot a suspicious GET somewhere else?
Yeah, spreading the word about wimas3 turns out to be challenging. How did you learn about WebAIM? It'd like to try and stick a giant, blinking, red link to wimas3 on whatever page was your introduction to WebAIM.
Thanks for your interest and feedback!
Shawn
Akinwale Ariwodola
Apr 11, 2008, 8:09:03 AM4/11/08
to wimas3
Yeah, I realised I assumed wrongly upon a second glance. I was
actually monitoring the debug output and noticed the parameters
concatenated (as required with the clientLogin request), and actually
thought this was the URL with which the request was being made.
As to how I heard about WebAIM, I'm working on an entry for the
OpenAIM competition being hosted by TopCoder, and yeah, I wanted to do
something web based. I'm using wimas3 based on your recommendation in
a thread I posted in the forums. I would assume you could get the
competition organisers to also post something about wimas3 on the blog
which is actually the homepage: http://www.topcoder.com/openaim/
On Apr 11, 12:57 pm, "Shawn Carnell" <shawncarn...@gmail.com> wrote:
> clientLogin, which is the auth request, is via POST over https. (See line
> 115 of ClientLogin.as.) Did you spot a suspicious GET somewhere else?
> Yeah, spreading the word about wimas3 turns out to be challenging. How did
> you learn about WebAIM? It'd like to try and stick a giant, blinking, red
> link to wimas3 on whatever page was your introduction to WebAIM.
>
> Thanks for your interest and feedback!
>
> Shawn
>
> On Fri, Apr 11, 2008 at 5:09 AM, Akinwale Ariwodola <akinw...@gmail.com>
actually monitoring the debug output and noticed the parameters
concatenated (as required with the clientLogin request), and actually
thought this was the URL with which the request was being made.
As to how I heard about WebAIM, I'm working on an entry for the
OpenAIM competition being hosted by TopCoder, and yeah, I wanted to do
something web based. I'm using wimas3 based on your recommendation in
a thread I posted in the forums. I would assume you could get the
competition organisers to also post something about wimas3 on the blog
which is actually the homepage: http://www.topcoder.com/openaim/
On Apr 11, 12:57 pm, "Shawn Carnell" <shawncarn...@gmail.com> wrote:
> clientLogin, which is the auth request, is via POST over https. (See line
> 115 of ClientLogin.as.) Did you spot a suspicious GET somewhere else?
> Yeah, spreading the word about wimas3 turns out to be challenging. How did
> you learn about WebAIM? It'd like to try and stick a giant, blinking, red
> link to wimas3 on whatever page was your introduction to WebAIM.
>
> Thanks for your interest and feedback!
>
> Shawn
>
Reply all
Reply to author
Forward
0 new messages