[racket-dev] Formlets and POST

From: Jay McCarthy (jay.mccarthy at gmail.com)
Date: Mon Feb 20 12:51:14 EST 2012

I just pushed something to address this.

It adds a keyword argument to send/formlet to control the method and
defaults it to POST.

Jay

On Sun, Feb 19, 2012 at 7:42 AM, Norman Gray <norman at astro.gla.ac.uk> wrote:
>
> Greetings.
>
> Web-server formlets currently send their form input back to the server via an HTTP GET request.  They should probably generate a form which uses HTTP POST instead.
>
> There are two problems with using GET for this.
>
> 1. If there's any sensitive information in the form, such as a password, then it's very obviously exposed in the URL and stored in logs, which wouldn't be the case if the form contents are in the HTTP request body instead.  The latter would provide at least a little bit of obscurity, rather than serious security.  This is of course not a great way to do authentication (to say the least), but if one trusts the network or one is talking to localhost, then it's good enough for some applications.  The problem isn't just confined to passwords, obviously.
>
> 2. HTTP defines GET to be side-effect free, and cacheable.  Therefore if there's an intermediary server between the client and the server, and it sees a GET request being made, it is (a) permitted to send a cached version if the URL is one it has seen before, and (b) permitted to make the GET request to the origin server multiple times (for example if there is or appears to be a failure), and send only one response to the client.  Either of these might mess up the form-mediated client-server interaction, and there's nothing anyone can do about it.  This is probably more of a theoretical problem than a common practical one.  POST is not defined to be side-effect free, and is not automatically cacheable.
>
> Of course (again), the point of continuation-based forms is that they're functional, just like GET, but many people implement services using GET forms which are intended to have side-effects.
>
> Simply defining (and using) a send/formlets/post which is identical to send/formlets but with a [method "POST"] added, seems to work fine, because formlet-process uses request-bindings/raw, which handles both GET and POST requests.  Therefore, I think that should probably be the default.
>
> Best wishes,
>
> Norman
>
>
> --
> Norman Gray  :  http://nxg.me.uk
> SUPA School of Physics and Astronomy, University of Glasgow, UK
>
>
> _________________________
>  Racket Developers list:
>  http://lists.racket-lang.org/dev



-- 
Jay McCarthy <jay at cs.byu.edu>
Assistant Professor / Brigham Young University
http://faculty.cs.byu.edu/~jay

"The glory of God is Intelligence" - D&C 93


Posted on the dev mailing list.