Make sure you use the right method
Posted by Jason Baker on April 29, 2009
What is the difference between HTTP POST and HTTP GET?
If your guess is that GET sends data via the query string while POST send data in the request’s body, you are… absolutely correct. And I hate your guts. Why is this? It’s not that what you’re saying is wrong by any stretch of the imagination.
I hate you because while GET and POST do send data differently, that’s not the biggest difference between the two. The biggest difference is that POST methods are idempotent. What does this piece of programmer-ese mean? How many times have you seen something similar to this Chrome form?
On poorly designed websites, you probably see it a lot. Web development newbies will often ask how to disable this page (or its Firefox equivalent). There’s a really simple answer for this: you don’t. That warning is there for a reason. You will see that warning every time you hit the back button to go to a page that was requested via HTTP POST.
The reason for this is that POST requests aren’t idempotent. Idempotent is just a fancy word meaning that something won’t make changes. As the HTTP 1.1 specification says:
In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered “safe”. This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.
Suppose we’re writing software for a web forum, and we have a URI /forum/submit-message. If we send data to this form, it will post a message. Now, imagine that after submitting a message, the user visits /forum/view-message and then hits the back button. They will go back to /forum/submit-message and send the same message over again if you were to use HTTP GET instead of POST. However, if you were to use POST, that would be prevented by the maligned “Confirm Form Resubmission” page. Sometimes annoying things can be useful, eh?
What’s the point?
The point is that nothing is more annoying than a website that uses GET and POST incorrectly. And you don’t want to lose users by using the wrong one, do you?