"Also, I don't see a problem with the practice of putting sensitive data in GET variables if the website is protected by SSL - Am I missing something?"
GET requests are logged by the web server and in the browser history in plain text, even for SSL requests.
Therefore any server administrator or computer user can have access to those information just reading the server log or the browser history.
GET requests are logged by the web server and in the browser history in plain text, even for SSL requests.
Therefore any server administrator or computer user can have access to those information just reading the server log or the browser history.