On Fri, February 24, 2012 4:40 pm, Larry Garfield wrote: > On 2/24/12 4:34 PM, Richard Lynch wrote: >> On Fri, February 24, 2012 4:16 pm, Larry Garfield wrote: >>> On 2/24/12 3:28 PM, Richard Lynch wrote:
> Except that per HTTP, GET and POST are completely different > operations. > One is idempotent and cacheable, the other is not idempotent and not > cacheable. I very much care which someone is using. If all my operations are idempotent, regardless of the request method, I can and will cache the POST operations, because I know I can do so. In other words: The HTTP spec specifically requires GET to be idempotent, and that implies it is cacheable. Nowhere in the HTTP spec can I find a REQUIREMENT for POST to not be idempotent, or to NOT be cached if it happens to BE idempotent. If I'm wrong please cite your reference. > As Will said in the other reply, there's security implications. (I > don't know who suggested that POST is more secure than GET. I > certainly > didn't.) I know you wouldn't say that. Only total newbies think POST is "more secure" because they just don't understand how they work. > You want your login form operating over POST, not GET, in > large part for the reasons above. Obviously login MUST be POST. It's not idempotent. Authentication to receive the content would also have to be POST, as it's not idempotent. But there is no reason to REQUIRE idempotent requests to be GET, and no specification that I can find that states that it is. The only requirement is that NON-idempotent must *NOT* be GET. -- brain cancer update: http://richardlynch.blogspot.com/search/label/brain%20tumor Donate: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FS9NLTNEEKWBE -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
