Monday, December 3, 2007

The Difference between GET and POST

When the user enters information in a form and clicks Submit , there are two ways the information can be sent from the browser to the server: in the URL, or within the body of the HTTP request.

The GET method, which was used in the example earlier, appends name/value pairs to the URL. Unfortunately, the length of a URL is limited, so this method only works if there are only a few parameters. The URL could be truncated if the form uses a large number of parameters, or if the parameters contain large amounts of data. Also, parameters passed on the URL are visible in the address field of the browsernot the best place for a password to be displayed.

The alternative to the GET method is the POST method. This method packages the name/value pairs inside the body of the HTTP request, which makes for a cleaner URL and imposes no size limitations on the forms output. It is also more secure.

ASP makes it simple to retrieve name/value pairs. If the forms output is passed after the question mark (?) on the URL, as occurs when using the GET request method, the parameters can be retrieved using the Request.QueryString collection. Likewise, if the form is sent using the POST method, the forms output is parsed into the Request.Form collection. These collections let you address the form and URL parameters by name. For example, the value of the form variable User can be passed into a VBScript variable with one line of script:
[% UserName = Request.Form("User") %]

You dont need to specify the collection ( Form or QueryString ) in which you expect to find the User parameter. The following is an equally valid method of searching for the User parameter:[% UserName = Request("User") %]

In the absence of a specific collection, the Request object will search all of its collections for a matching parameter. This is meant to be a programming convenience. However, the ASP Request object also contains collections for ServerVariables and ClientCertificates , which contain sensitive server and user authentication information. To avoid the possibility of spoofed values, which are values entered by the user in the URL, it is highly recommended that you explicitly use the collection name when searching for parameters from these collections.The following script combines a form and an action (the script that processes the form) into a single page. By posting the form data back to the same ASP page that displays the form, server-side script can process the output of the form. This is perfectly valid, and for simple script is often more convenient than posting to a second ASP page.

[%@ LANGUAGE="VBScript" %]
[!-- FILE: logon.asp --]
[HTML]
[HEAD]
[TITLE]Authentication Form[/TITLE]
[/HEAD]
[BODY BGCOLOR=#FFFFFF]
[% If Request.Form("User") = "" Then %]
[P]Please enter your Name:
[FORM ACTION="./logon.mspx" METHOD="POST"]
Your name: [INPUT TYPE="TEXT" NAME="User"]
Your password: [INPUT TYPE="PASSWORD" NAME="Pwd"]
[INPUT TYPE="SUBMIT" VALUE="Log On"]
[/FORM]
[% Else 'User verification and logon code goes here %]
Welcome [%= Request.Form("User") %]! [% End If %] [/BODY][/HTML]

Note If you use a separate ASP file to handle the processing of a form, the Request.Form collection will be emptied when you redirect to the new page. In order to retain the form values, you must copy them to the Session object from which they can be accessed on subsequent pages.

Although the sample authentication form shown here works, theres a good reason why you would not want to use it in practice. Logon information is sensitive and should be subject to rigorous protection from prying eyes. Although you can use the POST method to contain the users password within the body of the HTTP response, it is still possible to intercept and read it.

For mission-critical applications, IIS 5.0 provides both secure authentication with integrated Windows authentication and Client Certificates, as well as data encryption with Secure Sockets Layer (SSL).

No comments: