I’m implementing a message system (private messaging, if you will) and I’d like to be able to display the list of messages a user has by a text link so I don’t need a button to open it. The message_id (unique value in the databse) would be passed through the URL. (something like http://www.example.com/message/view/16).Assuming I check to make sure the session of the userid matches the userid that the message is sent to, is this OK? To make it safer I could just append a random number and set that as as session, and then just check for that upon viewing.
Should I forget this idea and just stick with a submit button to view the message?
A POST request would not provide any more safety than a GET request: any half-decent web debugging tool can forge POST requests. You should simply never trust user-input data. Always double-check authorizations for safety!
That said,
GETrequest semantics match what you’re trying to do here.The HTTP standard says that a
GETrequest should be repeatable without any non-trivial consequence. For instance, it’s adequate to view data with a GET request (and possibly do small things like incrementing a counter, since these are pretty trivial consequences). In fact,GETandHEADare the two request methods that are considered “safe”.On the other hand,
POSTrequests are expected to have non-trivial consequences, like sending a message or placing an order. Stuff that you don’t want to perform twice accidentally. Most browsers these days also respect this by warning users when reloading a page would cause aPOSTrequest to be performed again.