Re: Decurity concern: cachemgr & GET method ?

From: Alex Rousskov <rousskov@dont-contact.us>
Date: Mon, 11 Jan 1999 10:00:03 -0700 (MST)

On Mon, 11 Jan 1999, Juergen Kuersch wrote:

> Wouldn't it improve security if the cache manager functionality was completely
> based on http's POST method (not to mention SSL, of course), in order to keep
> it from being added to history and access.log files ?

The main reason why Web interface uses GET is that with POST you have to
answer annoying "Resend POST data?" questions all the time. Ideally, we
should use Basic or other HTTP authentication methods.

Using POST data on the Squid side will require some changes in the Squid
code.

There is probably no good reason to protect all cache manager operations
with a password. And, if you are concerned about security, you can avoid
using any password protected operations through the browser. Not an ideal
solution, of course.

Alex.
Received on Mon Jan 11 1999 - 10:00:29 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:58 MST