On Fri, Feb 24, 2012 at 2:54 PM, Larry Garfield <[email protected]> wrote:
> On 2/24/12 4:48 PM, Ronald Chmara wrote:
>>
>> On Fri, Feb 24, 2012 at 2:40 PM, Larry Garfield<[email protected]>
>>> Except that per HTTP, GET and POST are completely different operations.
>>> One
>>> is idempotent and cacheable, the other is not idempotent and not
>>> cacheable.
>>> I very much care which someone is using.
>> People exploiting security would *never* think of
>> caching/replaying/modifying a POST request, that's just totally
>> unimaginable! It would take, like HUGE computational effort to like,
>> cURL it or just type it out!
>> er, no.
> Please point out where I said that POST not a security risk. I am quite
> sure I typed no such thing, so how you read such a thing I do not know. I
> am genuinely curious to see how you managed to interpret anything I said as
> "POST is secure because it won't be cached".
Well, I didn't actually say that you said any such thing. I picked up on:
"the other is not idempotent and not cacheable"
...which is obviously false, and I highlighted, in a security context,
how POSTs are cached, and should be treated with equal distrust as
GET, because both are suspect, user submitted, forms of data, subject
to exploiting.
-Ronabop