Not to mention that if the originator of the link is a web page, the information is in the html code, even if using a post. Otherwise, in Zope, using GET or POST works equally well. Unless you do something really special, you can actually switch between using one or the other without changing code or anything else. J.F. -----Original Message----- From: zope-bounces@zope.org [mailto:zope-bounces@zope.org]On Behalf Of Jamie Heilman Sent: Wednesday, February 04, 2004 3:23 PM To: zope@zope.org Subject: Re: [Zope] URLs expose information which we'd like to hide Dennis Allison wrote:

The parameters passed by GET and, to a lesser extent, the URLs themselves, represent a security issue in one of our systems.

What does that mean? Why do you think its a security issue?

A partial solution would be to make POST not GET the standard for parameter transmital. Has anyone tried this? I suspect there are all sorts of hidden gotchas.

Using POST to send query params instead of GET is trivial. The only gotchas are that using very few browsers handle redirecting POST transactions correctly. This doesn't have anything to do with security though. -- Jamie Heilman http://audible.transient.net/~jamie/ "...thats the metaphorical equivalent of flopping your wedding tackle into a lion's mouth and flicking his lovespuds with a wet towel, pure insanity..." -Rimmer _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )