Login token in GET request
I would like to ask if the following solution is correct. I don’t think so, but I would like to hear someone else’s opinion.
In the admin control of our system, there is a function where I can open a web application as any registered user. When I click in the admin interface on “Open as (some_user),” a request is sent, and the body of the response contains a URL with a special token. The URL looks like this:
https://my.website.com/admin_login?token=asdfghjkl
This URL is then called as a GET request. The response is a 302 redirect with the URL in the Location header, which is finally called, and I am logged into the application as the requested user.
Now, my question is: Is it okay to send the token in the URL as a GET request? I think it is not.
I have often read that such things should be sent in POST requests for security reasons. However, maybe it is not such a big problem, so I would rather ask.
