How should I choose between GET and POST methods in HTML forms?

Question

I wish to know all the pros and cons about using these two methods. In particular the implications on web security.

Thanks.

Answer 1

GET might be easier to debug 'cause you can monitor all sended values in the adress bar without any additional tools. But there is a limitation of the max. length so with a few variables you may excess this.

POST isn't much securer these days 'cause with free tools like Fiddler & co. you can grip the values very easy. But there is no real lmitation of the length or amount of values you can submit this way and your URLs are looking more userfriendly.

So my alltime suggestion would be to use POST instead of GET.

Answer 2

Use GET if you want the result to be bookmarkable.

Answer 3

Generally best to use POST because it's a bit better hidden for snooping, better handling of spaces/encoding in the fields with some browsers, and especially because of limitations in the overall length of GET fields.

Answer 4

GET should not have side-effects: http://www.w3.org/DesignIssues/Axioms.html#state

POST forms should be used when a submission has side effects.

Neither method has any real implication on security, use SSL if you're concerned about security.

Answer 5

In addition to the fine answers from e.g. Micke, I want to point out an important difference in how browser interfaces handle pages requested with GET vs. POST.

If you reload a GET-requested page, the browser will just fetch the URL again (from the server or from cache), However if you reload a POST, the browser will show a slightly confusing warning popup about reposting data, which the user may then cancel (leading to an even more confusing "expired" page). Same thing if you use back or history to return to a page which is the result of a POST.

This is of course based on the different semantics: GET-requests are supposed to be idempotent - i.e, you can do it several times without changing anything. POSTs on the other hand are for actions with side effects, like signing up for something, bying something, posting a comment on forum. Typically the user dont expect to repeat this action when reloading, so the warning is sensible. However, avoid to use POST if the action is safely repeatable (like a search), since the warning is not necessary and would just be a confusing to the user.

A point regarding security: If you have a password field in a GET-form the password will get masked for prying eyes when you type it in, however, it will be plainly visible in the address bar when you hit submit! But apart from that, there is no real security in either GET and POST, so use SSL if that is a concern.

Answer 6

If you are passing things like passwords or other sensitive information, always use POST and make sure you are using SSL so that data doesn't travel between the client and server in clear-text.

Security-wise, the downside of using GET is that all the submitted data will be in the URL, and therefore stored locally on the client in the browser history.