Why is using a HTTP GET to update state on the server in a RESTful call incorrect?

Question

OK, I know already all the reasons on paper why I should not use a HTTP GET when making a RESTful call to update the state of something on

Answer 1

Here is an important reason that GETs should be idempotent and not be used for updating state on the server in regards to Cross Site Request Forgery Attacks. From the book: Professional ASP.NET MVC 3

Idempotent GETs
Big word, for sure — but it’s a simple concept. If an operation is idempotent, it can be executed multiple times without changing the result. In general, a good rule of thumb is that you can prevent a whole class of CSRF attacks by only changing things in your DB or on your site by using POST. This means Registration, Logout, Login, and so forth. At the very least, this limits the confused deputy attacks somewhat.