Generally, a get request is not meant to have any side-effects. However many sites allow you to reset your password or authenticate your email/user by clicking a link embedded in the email. Since we don’t want to send HTML emails and therefore cannot use a form in which the data is POSTed, we have to use a get request.
However it is considered bad design to have Requests using GET with side-effects. What is your opinion about this? Is there any way to solve this dilemma?
Generally, a get request is not meant to have any side-effects. However many sites
Share
Normally such links only contain a token that identifies the user who wants to reset the password resp. the request to reset the password. It does not log in the user.
Then a form is shown where the user can create a new password.
Anyway, that a GET request should be idempotent is not a hard fact, it is more a guideline. If it improves the usability for the user not to stick to that guideline than go for it (after considering alternatives and consequences of course). In the end, usability matters.
But if you want to reset the password by generating a random password and send it to the user, don’t do it. Sending plaintext passwords in unencrypted emails is a very bad idea. In this case I would prefer security before usability and let the user choose it by himself.
Update
Btw. a very important point with such URLs is that they normally are only accessible once or at least only as long as the user has not finished the procedure. So although you might change something with the GET request, the resource will be deleted anyways.