For Login GET or POST?

php mysql http login get

16,315

Solution 1

Always POST, and preferably with SSL (as in: https://...). Because the parameters in GET get stored all over the place for caching reasons.

So, if you boss needs a reason: security.

There is a REST-related reason: the GET queries first of all are expected to be aggressively cached, because they do not alter the server state of data. The POST requests instead are expected to never be cached, because the alter the state of server and (unlike PUT request), there is no expectation for calling multiple POST request to return the same response and leave the server in the same state.

For example: if you send 5 login request, that fail, the 6th one can return "your IP has been blocked for 30 min" as a response.

Solution 2

Use POST. With GET the parameters are in the URL, which is very insecure. While https (you are using https, right?) should encrypt everything end-to-end, with GET the parameters will be in plain text in log files and in the user's browser (until the next page is loaded or redirected).

16,315

Author by

Abhijeet Prasad

Updated on June 24, 2022

Comments

Abhijeet Prasad almost 2 years

I want to know which HTTP method i use for developing a login API, GET or POST ?. I have developed my login API in PHP using post method, but my BOSS say that, why you use POST method instead of GET method.
Harikrishnan almost 7 years

No. GET parameters are passed via URL and is visible.
acr almost 7 years

Nothig is visible if request ajaxed, and this API may be not for browsers, then GET preffered since it simple
Funk Forty Niner almost 7 years

I can't see why this answer was downvoted. If anything to get downvoted for, would be a tad low-quality. Other than that, whoever did downvote it, should read Is either GET or POST more secure than the other?
Harikrishnan almost 7 years

Visible in access logs like this. 127.0.0.1 - - [14/May/2017:20:16:28 +0530] "GET /phpmyadmin/index.php?ajax_request=1&recent_table=1&token=82‌69
Harikrishnan almost 7 years

Also I didn't down vote.
acr almost 7 years

access logs must be protected by administrator
Funk Forty Niner almost 7 years

"it does not matter POST or GET, more important using HTTPS" - @acr You are right to a certain extent. The reason for the person's downvote could have been because you seem to be stating that using POST or GET through a regular http: call that it doesn't matter; it does. Through an https: call, then that's a different story. You should edit your answer and to be a better answer. Just trying to help you out here.
acr almost 7 years

php coder add wrong answer about get cahing, how will they complain?
Harikrishnan almost 7 years

Yes. The admin must protect logs. But even in that context POST is little more secure as it is neither logged nor cached.
acr almost 7 years

difference really little, and depend on server and server settings, server can be set for get secure