Menu
▾
▴
#1684 Use GET only for read only operations
Currently we perform some operations by GET and some by POST requests. We should change this to use GET only for read only operations, while anything what performs changes should be done by POST. This way we can remove CSRF token from URLs and pass it only in forms, making URLs nicer.
Per RFC 7231, the POST method should be used for any context in which a request is non-idempotent: that is, it causes a change in server state each time it is performed, such as submitting a comment to a blog post or voting in an online poll. GET is defined to be nullipotent, with no side-effects (in contrast to "no side effects on second or future requests" as with idempotent operations).
Michal,
I would appreciate you thought on the following.
GET requests have limitations in terms of the length of data they can carry and for certain operation we can not estimate this in advance. In PHP level, this may be avoided to some extent with PMA_Util::linkOrButton(). However, it is still a problem in AJAX requests.
GET requests may be cached. So even when requesting HTML to be shown in a jQuery dialog we will have to explicitly ask jQuery to disable caching as some pages may have dynamic content.