0

In my ASP.Net MVC website, whenever a user registers, the admin should activate his/her account. In my view, I'm creating simple links for this:

@Html.ActionLink("activate", "user", new { id = item.ID })"

I usually would create a form with a @Html.AntiForgeryToken() and POST it to the controller. However, I think it might be OK to do this via HTTP GET since we're doing this for users which are in admin role. Should I use the POST method or is it OK to continue with the HTTP GET and just an id field?

Alireza Noori
  • 14,961
  • 30
  • 95
  • 179

2 Answers2

1

I think it might be OK to do this via HTTP GET since we're doing this for users which are in admin role.

Nope. If anyone sends the link to /user/activate/42 to your admin and he clicks it, he just activated a user.

Apart from the security, read When should I use GET or POST method? What's the difference between them? for the implications on HTTP level, which also regards browser implementations (caching, warning for re-post, and the list goes on).

Community
  • 1
  • 1
CodeCaster
  • 147,647
  • 23
  • 218
  • 272
  • And that would be the admin's problem. Wouldn't it? – Alireza Noori Dec 12 '13 at 16:15
  • 1
    You don't say "your problem" for security holes you as a developer open. – CodeCaster Dec 12 '13 at 16:15
  • 1
    I get what you're saying. I guess I was wrong to assume that the admin won't click on any kind of link. I never trust user inputs but I guess I should consider admin a privileged kind of user! – Alireza Noori Dec 12 '13 at 16:17
  • So what is your suggestion for this? Should I create a form for each row of the table with a separate AntiForgeryToken and a submit button for activation? – Alireza Noori Dec 12 '13 at 16:18
  • 1
    Yes. If you want the action to happen "inline", you can always make it an AJAX link that POSTs the attached form (including anti forgery token). – CodeCaster Dec 12 '13 at 16:20
1

A GET request should never change the state of the system. It should leave the system unchanged. You don't want anyone to be able to approve users by making a GET request as it leaves the system open to attack. A GET request should also never be used to pass data around.

You should use a PUT request for this ideally. If you can't use a PUT then a POST is ok.

Kevin Holditch
  • 5,165
  • 3
  • 19
  • 35