Don’t get GET and POST confused

5Aug2008 Filed under: Programming Author: Ralph Broenink

A very long time ago, the idea of the internet was providing static information. For a long time already, this isn’t true anymore. User-generated and dynamic content are common nowadays and web developers are still trying to keep their applications up-to-date with the latest developments.

However, they are becoming lazy and are getting confused. They are now using features of the HTTP-protocol for things they were never meant to be used for. In most cases, this isn’t a big problem. And, it works, right? Well, there’s one thing that should be taken into consideration:

“GET-request should not be used as POST-request and shouldn’t have any side-effects, like confirming a registration”

This is based on the following statements in RFC 2616, the HTTP/1.1 specification:

GET

The GET method means retrieve whatever information (in the form of an entity) is identified by the Request-URI. If the Request-URI refers to a data-producing process, it is the produced data which shall be returned as the entity in the response and not the source text of the process, unless that text happens to be the output of the process.

(…)

POST

The POST method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line. POST is designed to allow a uniform method to cover the following functions:

Annotation of existing resources;

Posting a message to a bulletin board, newsgroup, mailing list,or similar group of articles;

Providing a block of data, such as the result of submitting a form, to a data-handling process;

Extending a database through an append operation.

This statement only makes one conclusion possible: confirming an e-mail address, for example, should not be done by only requesting a page. In this example this could be done by, for instance, using a special URI which provides the user with a button that confirms the registration using a POST-request.

So, using GET should only retrieve information and should not have any side-effects. However, of course this doesn’t cover any statistics software you use to keep track of your visitors, as this is not something that can be done by using POST-forms.

You should keep this in mind when designing any application. This prevents users from accidently clicking an url and confirming anything.

Tags: html, web quality

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Entries (RSS)
Comments (RSS)

About this site

This website is the personal weblog of Ralph Broenink. He studies Computer Science at the University of Twente and is lead software engineer at Antagonist webhosting. Furthermore, he was member of the board of study association Inter-Actief. More information about him can be found at the 'About me'-page.

Recent Comments
Recent Articles

Twitter

@TwBootstrap Maybe you could look into http://t.co/LixG2J7M ? However, it's still hard to satisfy everyone. »
@Samsung_NL OkÃ©, zij verwijzen me praktisch weer terug naar het servicepunt. Toch jammer dat ik nu niet zeker weet of ik moet betalen. »
@TwBootstrap Google Chrome (dev), although it feels a bit off in other browsers too. »
@Samsung_NL Schijnt haartje(?) Ã³nder het glas van m'n Tab 10.1 te zitten. Servicepunt weet niet of onder garantie valt. Hoe kom ik erachter? »
@TwBootstrap Is it just me or are the icons in 2.0 not properly aligned with text? I'd put them ~2px lower to get them centered on baseline. »

ralphje.net Blog