7

I want to know which HTTP method i use for developing a login API, GET or POST ?. I have developed my login API in PHP using post method, but my BOSS say that, why you use POST method instead of GET method.

Abhijeet Prasad
  • 97
  • 1
  • 1
  • 7

3 Answers3

17

Always POST, and preferably with SSL (as in: https://...). Because the parameters in GET get stored all over the place for caching reasons.

So, if you boss needs a reason: security.

There is a REST-related reason: the GET queries first of all are expected to be aggressively cached, because they do not alter the server state of data. The POST requests instead are expected to never be cached, because the alter the state of server and (unlike PUT request), there is no expectation for calling multiple POST request to return the same response and leave the server in the same state.

For example: if you send 5 login request, that fail, the 6th one can return "your IP has been blocked for 30 min" as a response.

tereško
  • 58,060
  • 25
  • 98
  • 150
4

Use POST. With GET the parameters are in the URL, which is very insecure. While https (you are using https, right?) should encrypt everything end-to-end, with GET the parameters will be in plain text in log files and in the user's browser (until the next page is loaded or redirected).

manassehkatz-Moving 2 Codidact
  • 2,906
  • 2
  • 15
  • 25
-2

there really little difference between POST and GET from security point of view, more important using HTTPS, and properly tuned server

acr
  • 15
  • 4
  • 8
    No. GET parameters are passed via URL and is visible. – Harikrishnan May 14 '17 at 15:05
  • Nothig is visible if request ajaxed, and this API may be not for browsers, then GET preffered since it simple – acr May 14 '17 at 15:09
  • I can't see why this answer was downvoted. If anything to get downvoted for, would be a tad low-quality. Other than that, whoever did downvote it, should read [Is either GET or POST more secure than the other?](http://stackoverflow.com/questions/198462/is-either-get-or-post-more-secure-than-the-other) – Funk Forty Niner May 14 '17 at 15:11
  • 1
    Visible in access logs like this. `127.0.0.1 - - [14/May/2017:20:16:28 +0530] "GET /phpmyadmin/index.php?ajax_request=1&recent_table=1&token=8269` – Harikrishnan May 14 '17 at 15:11
  • Also I didn't down vote. – Harikrishnan May 14 '17 at 15:12
  • access logs must be protected by administrator – acr May 14 '17 at 15:15
  • *"it does not matter POST or GET, more important using HTTPS"* - @acr You are right to a certain extent. The reason for the person's downvote could have been because you seem to be stating that using POST or GET through a regular `http:` call that it doesn't matter; it does. Through an `https:` call, then that's a different story. You should edit your answer and to be a better answer. Just trying to help you out here. – Funk Forty Niner May 14 '17 at 15:23
  • php coder add wrong answer about get cahing, how will they complain? – acr May 14 '17 at 15:24
  • Yes. The admin must protect logs. But even in that context POST is little more secure as it is neither logged nor cached. – Harikrishnan May 14 '17 at 15:30
  • difference really little, and depend on server and server settings, server can be set for get secure – acr May 14 '17 at 15:33