Contents SAS/IntrNet 9.1: Application Dispatcher Previous Next

Specifying HTTP Methods

The HTTP methods specified in the ALLOW directive are the two methods used by the HTTP server to pass information to the CGI program (Application Broker). The ALLOW directive lists the allowable values for the request method; this line does not actually set the method. The method names are GET and POST:

To specify which HTTP methods the Application Broker should allow, locate the following line in the configuration file:

   Allow get post

If you want to allow both methods, leave the line as it is. If you want to allow only one method, delete the method that you do not want to allow. By default, both methods are allowed, so commenting or omitting the directive allows both GET and POST.

As stated, the ALLOW directive does not set the HTTP method. That is done in each HTML page that references the Application Broker. The author of the HTML portion of a Dispatcher application specifies either the GET or POST method in the HTML form tag, for example:

   <form action=<location of Application Broker> method=post|get>

One simple, but not ironclad, security technique is to use the POST method when you invoke the Application Broker. In your HTML form tag, specify ACTION=, which points to the Application Broker. In addition, you can specify a method as shown in the following example:

   <form action="/cgi-bin/broker" method="post";>

The POST method passes all form variables to the Application Broker on standard input, which prevents them from appearing as part of the URL. This method makes it more difficult for users to subvert the values sent to your program.

Note: Using POST prevents the submitted form data from appearing in the Web server log files. POST also prevents you from bookmarking those dynamically generated pages.


Contents SAS/IntrNet 9.1: Application Dispatcher Previous Next