1

In the case of an ASP.NET Web API 2 service or even a standalone MVC system, because of the way I handle errors and such, I prefer to use JsonResult functions in my controllers:

public class BaseController : Controller
{
    // This controller is where functionality common to all
    // controllers (such as error reporting goes. It's also good for avoiding
    // code repetition as in the case of the next function

    public JsonResult CreateResponse(object Data)
    {
        // send a JsonResult with the specified data
        return Json(Data, JsonRequestBehavior.AllowGet);
    }
}

public class UserController : BaseController
{
    public JsonResult Create(CreateUserViewModel Model)
    {
        try
        {
            var User = new User
            {
                Username = Model.Username,
                EmailAddress = Model.EmailAddress,
                Password = Hashing.CreateHash(Model.Password)
            };

            db.Users.Add(User);
            db.SaveChanges();

            return CreateResponse(true);
        }
        catch (Exception ex)
        {
            return CreateResponse(ex.Message);
        }
    }
}

In what situations would I want to AllowGet or DenyGet on the JsonRequestBehavior?

What are the implications or concerns of either course?

Ortund
  • 8,095
  • 18
  • 71
  • 139
  • Someone voted *There are either too many possible answers, or good answers would be too long for this format. Please add details to narrow the answer set or to isolate an issue that can be answered in a few paragraphs.* which I certainly don't agree with. – Erik Philips Mar 29 '16 at 19:53
  • @ErikPhilips how, without knowing what possible answers there might be, does one do that? And if I did know what answers were applicable here, would it not have been a waste of time to ask? Makes no sense – Ortund Mar 29 '16 at 19:56
  • @Ortund it's not about you, it's about your question. Imagine someone asking, *should I use c# or java for doing blah*, it's not about who wrote it, it's that the question isn't simply definitely answerable. – Erik Philips Mar 29 '16 at 20:00

2 Answers2

1

There are only two major reasons why you want to DenyGet (which can be found with little effort doing research).

First, Security

Why are GET requests returning JSON disallowed by default?

JSON Hijacking

Secondly, Browser Pre-fetch

Logout: GET or POST?

In 2010, using GET was probably an acceptable answer. But today (in 2013), browsers will pre-fetch pages they "think" you will visit next.

It's certainly possible for the browser to cache an ajax call and assume you want the same request which might either accidentally logout the user, or tell the browser script you've been logged out when you haven't.

Community
  • 1
  • 1
Erik Philips
  • 53,428
  • 11
  • 128
  • 150
0

doing research on your question found, some times it can result in JSON Hijacking. Detail info can be found here http://haacked.com/archive/2009/06/25/json-hijacking.aspx/

5413
  • 80
  • 6