0
GET or POST: an easy debate
When you develop web applications, you must be aware of how the HTTP protocol works. Because, like any other protocol, it defines several message types, and you must know wich one is appropriate for each situation.
Q: What kind of message must I use when i send a login-password pair from the browser to the server?
A: You must use POST HTTP method. The main reason is not because the POST method is more "secure" when you send it to the internet cloud ... not at all. The POST and GET method doesn't prevent sniffers attacks, because the message sent is similar when you use GET or POST. The only difference is WHERE the parameters are inside the message (in this case login and password). But in both cases, the information is there, as plain text. The REAL reason for using POST in this kind of situation is : When you use GET, the parameters are shown in the web browser url field, so, any human sniffer behind you can see it. Or worse: when you bookmark a page, the browser saves the URL displayed in the URL field, so, if you use the GET method, you open the possibility of your login and password being bookmarked!
Q: If my web page has a big Text Area in which the user will add a lot of characters (like adding a post no?) which HTTP method is appropriate for this situation?
A: The POST method. An again, the reason is not security or privacy. The main reason is "size limitation". Yeap, when you use GET to send a bunch of data, you may find a size limitation and it is web server dependant. So, if you decide to use GET method in this situation, you must know the web server the application will use, add some validation at the client side, bla bla bla. But, if you use POST method you don't have size limitation issues. Why? Simple, when you use GET the information of the Text Area goes inside the URL, as a parameter. The URL is at the beggining of the HTTP Message, so the web server must know when the URL ends, and when the other HTTP headers values begin. But when you use POST, the information goes at the bottom of the HTTP message, and the web server knows that the information is ending, when it is, without limitations.
NOTE: The problem with the bookmark is also valid here.
Q: If i have a simple search form in my web page. Which HTTP method must I use?
A: After the answers above, it sounds like the GET method is useless, right? But you are wrong, in fact I think it is the most used HTTP method (without counting the misuses). Think that you search in Amazon a few films titles, and after a while, you finally found a search criterias combinations that satisfies your expectations, and then you bookmark the search result. If Amazon uses POST for sending the search criterias, your bookmark will not work (no info in the URL), but if they use GET, your bookmark will search in Amazon with the criterias that you love. So, you must use GET method if you want to allow search bookmarks.
NOTE: there is an issue with this approach. Think: when a regular user bookmarks a search result, does he know that though bookmarking the search criteria he may later find a different search result?
In conclusion: Use POST when you don't want your info in the URL (that implies bookmarks issues and size limitation) and use GET method for the rest. But if you want to be academic, the real conclusion is "Use POST for each request that will make a state change on the server (like add something to a database), and use GET for consult operation only".
Q: What kind of message must I use when i send a login-password pair from the browser to the server?
A: You must use POST HTTP method. The main reason is not because the POST method is more "secure" when you send it to the internet cloud ... not at all. The POST and GET method doesn't prevent sniffers attacks, because the message sent is similar when you use GET or POST. The only difference is WHERE the parameters are inside the message (in this case login and password). But in both cases, the information is there, as plain text. The REAL reason for using POST in this kind of situation is : When you use GET, the parameters are shown in the web browser url field, so, any human sniffer behind you can see it. Or worse: when you bookmark a page, the browser saves the URL displayed in the URL field, so, if you use the GET method, you open the possibility of your login and password being bookmarked!
Q: If my web page has a big Text Area in which the user will add a lot of characters (like adding a post no?) which HTTP method is appropriate for this situation?
A: The POST method. An again, the reason is not security or privacy. The main reason is "size limitation". Yeap, when you use GET to send a bunch of data, you may find a size limitation and it is web server dependant. So, if you decide to use GET method in this situation, you must know the web server the application will use, add some validation at the client side, bla bla bla. But, if you use POST method you don't have size limitation issues. Why? Simple, when you use GET the information of the Text Area goes inside the URL, as a parameter. The URL is at the beggining of the HTTP Message, so the web server must know when the URL ends, and when the other HTTP headers values begin. But when you use POST, the information goes at the bottom of the HTTP message, and the web server knows that the information is ending, when it is, without limitations.
NOTE: The problem with the bookmark is also valid here.
Q: If i have a simple search form in my web page. Which HTTP method must I use?
A: After the answers above, it sounds like the GET method is useless, right? But you are wrong, in fact I think it is the most used HTTP method (without counting the misuses). Think that you search in Amazon a few films titles, and after a while, you finally found a search criterias combinations that satisfies your expectations, and then you bookmark the search result. If Amazon uses POST for sending the search criterias, your bookmark will not work (no info in the URL), but if they use GET, your bookmark will search in Amazon with the criterias that you love. So, you must use GET method if you want to allow search bookmarks.
NOTE: there is an issue with this approach. Think: when a regular user bookmarks a search result, does he know that though bookmarking the search criteria he may later find a different search result?
In conclusion: Use POST when you don't want your info in the URL (that implies bookmarks issues and size limitation) and use GET method for the rest. But if you want to be academic, the real conclusion is "Use POST for each request that will make a state change on the server (like add something to a database), and use GET for consult operation only".