Login via HTTP “GET” is now deprecated Release 56.00
Overview
This announcement provides information that may impact the ability of partner systems to authenticate with Commander systems starting with release 56.00.
The Commander system provides access to partner systems for configuration, reporting, and transaction details via HTTP requests (URLs) using https, as defined by IETF RFC 7231.
Change for Release 56.00
The security community has raised concerns over sensitive information such as usernames and passwords being included in HTTP URLs. Therefore, starting with release 56.00, the Commander will restrict the use of usernames and passwords in login requests provided via the HTTP GET method.
Partners should ensure that all HTTP requests that contain username/password information use the HTTP POST method.
With release 56.00, using the HTTP GET method with usernames and passwords will be deprecated – i.e., usage will still be permitted but a warning message will be produced to the customer’s remote security (SEIM) log server.
For example:
Deprecated HTTP GET method request! Future versions require HTTP POST for 'validate' command (remoteIP = 192.168.31.245)
Future Releases
After release 56.00, future releases will return an error whenever the HTTP GET method is used with usernames and passwords and login will not be permitted.
Recommended Action
Going forward, it is recommended that all requests* (except as noted) to Commander use the HTTP POST method. When POST is used, all parameters (“cmd,” “user,” “passwd,” “otp,” “cookie,” etc.) must be sent in the body of the HTTP request.
