Brian Kotek wrote: > You're proving my point. Going through your app and changing any <A HREF> > tag that targets a link that changes data on the server to use POST instead > of GET *is* an increase in complexity. And, if I understand you correctly, > you're doing it just to get a pop-up window from your browser? A pop up that > anyone can ignore, or that a spider can just bypass anyway? When under the > hood you're still going to have to have logic to make sure the user is > logged in, and editing data that they are allowed to edit, etc.?
I don't retrofit existing sites just for the sake of getting this correct, but if I develop something new it is the guiding principle. And it saves me the "why do I get billed twice for this report" questions from users that are logged in and have the right to order something. And the part you glossed over is that I change forms from post to get if they do not change the data. Because it provides a better user experience if the browser does not come with that annoying popup. > Is this really the best reason someone can offer to justify making all > data-editing URLs use the POST method? I know it isn't anyone's job here to > convince me, and that I'm the one ignoring this rule, but so far I'm still > not seeing any particularly compelling reason to be concerned. Would you do it if it were easier? For a while now I have considered proposing to the W3 HTML standard committee to add a "method" attribute to the "href" tag so you could also make a normal link fire a post instead of a get. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Enterprise web applications, build robust, secure scalable apps today - Try it now ColdFusion Today ColdFusion 8 beta - Build next generation apps Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:291121 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
