0

Normally if I use HTTPClient and issue GetAsync(URI) or similar, if I wanted to pass some parameters like "int id, string name, string division" I would need to append them to the uri: "http://localhost/webapplication/api/controller/action/id"

Are their any alternatives to this standard method of passing parameters, so that the information isn't right in the uri?

Something like HTTPClient.MessageParameters = myOBject which is put inside the message body, and then I can then unpack on the other side?

If there are not alternatives, is using a POST an acceptable way to hide the parameters?

Thanks

Ray
  • 1,422
  • 2
  • 21
  • 39

3 Answers3

3

Using POST is the accepted way to hide these parameters, and if executing the request has side effects, they should definitely be submitted in a POST request. GET requests may be cached by a proxy or somewhere else along the way, which could cause a problem for you. I think you could theoretically try to change the request headers, but there's no guarantee that the server won't drop them if they're non-standard, so you shouldn't look into that option.

EDIT: See this question for more about X-headers (non-standard HTTP headers) and whether you can safely use them. It appears they're deprecated now.

Community
  • 1
  • 1
Troy
  • 1,599
  • 14
  • 28
  • 1
    caching can be avoided by adding a dummy parameter to the url with a randomly generated value. – collapsar Aug 01 '13 at 18:18
  • 2
    Sure, but why do that when there's already an HTTP verb which is supposed to be used for this purpose? – Troy Aug 01 '13 at 18:21
  • depends on your application, i guess. assembling POST requests can be cumbersome and - more important - it's sometimes desirable to have parameters in the url (eg. to trigger url rewriting or request dispatching by a proxy). – collapsar Aug 01 '13 at 18:30
  • thanks for the link to the X-headers rfc. thiugh i don't follow their reasoning. quote from the [rfc 6648](http://www.ietf.org/rfc/rfc6648.txt): `2. SHOULD employ meaningful parameter names that they have reason to believe are currently unused; 3. SHOULD NOT prefix their parameter names with "X-" or similar constructs.`. so i use headers with `X-` to express the semantics suggested by the meaningful name + the info that this header has not been assigned by or registered with an official standard-maintaining authority. – collapsar Aug 01 '13 at 18:36
  • @collapsar, who says you can't have parameters in the URL with a POST request? There's nothing stopping you from doing that, and most REST services seem to do both. – Troy Aug 01 '13 at 18:42
  • of course you can. but if you do it's rather pointless to avoid a GET request because of parameters visible in the url, isn't it ? – collapsar Aug 01 '13 at 19:02
  • Not at all, this is a very common thing to do. Let's say you want to pass authentication information for some stateless API, and don't want it to appear in the server logs. POST reuqest. For example, I want to add an element to a collection whose endpoint is at /api/users/groupname, where "users" and "groupname" can be thought of as parameters, but I want to pass auth info and info about the user as well. – Troy Aug 01 '13 at 19:11
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/34648/discussion-between-collapsar-and-troy) – collapsar Aug 01 '13 at 19:16
2

you have at least 2 options:

  • add custom http headers containing your data.

eg.

X-Var-Count: 3
X-Var-Name-1: id
X-Var-Value-1: <value_of_id>
X-Var-Name-2: name
X-Var-Value-2: <value_of_name>
X-Var-Name-3: division
X-Var-Value-3: <value_of_division>

obviously this requires additional server-side processing.

  • switch to a POST request
collapsar
  • 17,010
  • 4
  • 35
  • 61
2

I would go with a POST.

Any parameters passed with a GET can be captured and logged by a proxy or will be cached in server logs.

HttpWebRequest httpWReq =
(HttpWebRequest)WebRequest.Create("http://domain.com/page.aspx");

ASCIIEncoding encoding = new ASCIIEncoding();
string postData = "username=user";
postData += "&password=pass";
byte[] data = encoding.GetBytes(postData);

httpWReq.Method = "POST";
httpWReq.ContentType = "application/x-www-form-urlencoded";
httpWReq.ContentLength = data.Length;

using (Stream stream = httpWReq.GetRequestStream())
{
    stream.Write(data,0,data.Length);
}

HttpWebResponse response = (HttpWebResponse)httpWReq.GetResponse();

string responseString = new StreamReader(response.GetResponseStream()).ReadToEnd();

See for code: HTTP REQUEST WITH POST

See for reasoning: HTTP GET AND POST PARAMETERS RECOMMENDATIONS

Community
  • 1
  • 1
x2z
  • 57
  • 8