The HTTP methods specified in the ALLOW directive are
the two methods used by the HTTP server to pass information to the
CGI program (Application Broker). The ALLOW directive lists the allowable
values for the request method; this line does not actually set the
method. The method names are GET and POST:
-
GET tells the server to process
the entire form as one long concatenated string of values appended
to the URL. Using GET allows users to bookmark the resulting dynamic
pages. However, the resulting page's URL can become very long and
display variable information that you might prefer not to display.
-
POST sends the form data in a long
input stream, which is not visible to users. Using POST is helpful
when processing a large amount of data. However, users cannot bookmark
the resulting pages.
To specify which HTTP
methods the Application Broker should allow, locate the following
line in the configuration file:
Allow get post
If you want to allow
both methods, leave the line as it is. If you want to allow only one
method, delete the method that you do not want to allow. By default,
both methods are allowed, so commenting or omitting the directive
allows both GET and POST.
As stated, the ALLOW
directive does not set the HTTP method. That is done in each HTML
page that references the Application Broker. The author of the HTML
portion of an Application Dispatcher application specifies either
the GET or POST method in the HTML form tag, for example:
<form action=<location of Application Broker> method=post|get>
One simple, but not
ironclad, security technique is to use the POST method when you invoke
the Application Broker. In your HTML form tag, specify ACTION=, which
points to the Application Broker. In addition, you can specify a method
as shown in the following example:
<form action="/cgi-bin/broker" method="post";>
The POST method passes
all form variables to the Application Broker on standard input, which
prevents them from appearing as part of the URL. This method makes
it more difficult for users to subvert the values sent to your program.
Note: Using POST prevents the submitted
form data from appearing in the Web server log files. POST also prevents
you from bookmarking those dynamically generated pages.