If I have web application GET URL which gives me details of particular user. What is more secure / which is good practice?
eg.
www.xyz.com/user?id=10
or
www.xyz.com/user?fname="abc"&lname="lmn"
Or is anything else preferred?
Which points should be considered?
I have a page with a list of users, on which clicking the user name should lead to that particular user details.
Since GET request are more prone to be saved in various logs, it is considered unsafe to place private or confidential information in them.
Using an ID is perfectly fine since it is anonymous data. If your user ID is not a surrogate key, then you should create a new one and use it for externally identify the user.
I assume that there is an authentication mechanism not visible in the example URLs you have shown us, and that the traffic is protected by SSL.
The only time someone can see the request but not the response is in the server logs - do you really store these differently from how you manage your application data?
If you do manage access to your logs, since the response is going to include the customer details, trying to restrict or hide information in the request does not serve any useful purpose. OTOH logs are stored at both ends of the interaction; are your users better served by hiding data? This depends on the service you are offering, your user base and the nature of the devices being used. But in most of the scenarios I can imagine, for someone wanting to observe this information, the interesting bits can be seen in other places than the query in the URL.
A further consideration if the specificity and cost of the processing. What happens if you have more than one record with the same fname and lname? If the cost of resolving one form of query is particularly high, then it may be avenue for a DOS attack.
