Recently read "HTTP Definitive Guide" This book, the HTTP protocol have a deeper level of understanding.
In our interview process about the HTTP protocol has two classic face questions:
1. talk about the difference in HTTP GET and POST.
2. Enter the URL in the browser to display the entire page in the front of the user in the end what happened this process.
Today I will talk about the first question.
First, the most common answer
When we search for the problem, get on Google or Baidu is the answer to most of the following three points, which seems to have become the "standard answer", in fact, the answer is open to question.
1. GET URL using Cookie or parameter passing, and the data in the BODY POST.
2. GET submission of data has a length limit, the POST data can be very large.
3. POST than GET security, because the data is not visible on the address bar.
Second, the "standard answer" it is wrong
1. GET URL using Cookie or parameter passing, and the data in the BODY POST
GET and POST are defined by the HTTP protocol. In the HTTP protocol, Method and Data (URL, Body, Header) orthogonal two concepts, that is, how the application layer and Method which data transmission is no relationship.
No HTTP request is POST data if necessary Method in the BODY. There is no requirement, if Method is GET, the data (parameters) it must be placed in the URL can not be placed in the BODY.
Well, the Internet widespread this statement come from it? I'm in the HTML standard, we found a similar description. This is consistent and circulated on the Internet saying. But this is only the HTML standard convention for use of the HTTP protocol. How can the difference between GET and POST as it?
Moreover, modern Web Server are supported such a request BODY GET included. While this request can not be sent from the browser, but now the Web Server are not only to the browser with, it has been completely beyond the scope of the HTML server.
2. GET submission of data has a length limit, the POST data can be very large
Let me talk Conclusion: HTTP protocol GET and POST are no restrictions on length. HTTP protocol clearly pointed out, HTTP headers and Body are not required length.
The first is "GET data submission are Length", if we use the GET to submit data through the URL, then there is a direct relationship between the amount of data that can be submitted by just GET the length of the URL. In fact, URL parameters limit the problem does not exist, HTTP protocol specification does not limit the length of the URL. This restriction is specific to limit its browser and server. IE URL length limit is 2083 bytes (2K + 35). For other browsers, such as Netscape, FireFox, etc., in theory, there is no length limit, that limit depends on operating system support.
Note that this restriction is the entire length of the URL, not just your parameter value data length.
POST is the same, there is no size limit POST, HTTP protocol specification no limit for the size of the POST data, be limiting the processing power of the server processing program.
Of course, we often say that there will be restrictions on the length of the URL GET of this argument is that how it happened? Although this is not the essential difference between GET and POST, but we can also talk about the cause of two of URL length limits:
1. browser. Early browsers will do URL length limit. And now the limit is how specific kind of, I have not been pro-test, saying it will not replicate online.
2. Server. Long URL, the server process is a burden. Originally a session there is not much data, now if someone maliciously constructed several M-sized URL, and keep access to your server. The maximum number of concurrent server will obviously drop. Another attack is to tell the server Content-Length is a big number, and then only a little data sent to the server, you just wait go. Even if you have a timeout setting, this deliberate access timeout times and also allows the server to steal sheep. In view of this, most of the friends server for security and stability considerations friends, give URL length restrictions. But this restriction is a request for all HTTP, the GET, POST does not matter.
3. POST than GET security, because the data is not visible in the address bar
In fact, this argument is also based on the basis of the above two points on 1 and 2 is, I think no problem, but need to understand why using a GET on the address bar is not safe, and there is no other explanation of reasons "POST than GET security . "
By GET to submit data, user names and passwords in clear text will appear in the URL, the login page is likely to be because the browser cache, others see the browser's history, so others can get your account number and password and, apart from the In addition, using the GET to submit data also may cause Cross-site request forgery attacks.
Third, I understand
"1. GET using a URL or Cookie mass participation, and the data in the BODY POST", this is because the HTTP protocol usage conventions. Not their own differences.
"2. GET submission of data has a length limit, the POST data can be very large," this is the difference because they use different operating systems and browser settings caused. Nor is the difference between GET and POST itself.
"3. POST than GET security, because the data is not visible on the address bar," this argument is not wrong, but the difference is still itself and POST instead of GET.
Although this is not their own three-point difference, but at least their difference in use, so when I interview this question, if the interviewer can answer the above three points, I basically give a passing grade. So you want do not want a higher score?
Fourth, the ultimate difference
The biggest difference between GET and POST GET request is mainly the idempotency, POST requests are not. This is the essential difference between them, but above differences in use.
What is Idempotence? It means one idempotent requests a particular resource many times and should have the same side effects. It simply means that more of the same URL request should return the same results.
About Idempotence see my comments on the recommendation of an article.
Because they have such a distinction, so you should not get asked to do and can not use data additions and deletions to the operation of these have side effects. Since get requests are idempotent, in the network of tunnels will not try and try again. If the requested data get by, the risk will be repeated operation, and this operation is repeated may lead to side effects (browser and operating system does not know that you would get with a request to do by operation).
You are a teacher props, the actors in the movie we all grab the convention with fake (non lethal) in the rally, when shooting with an air gun (lethal), but you are a heterogeneous props division, you are in for when the actor playing the fake grab replaced by an air gun ...
Fifth, my suggestion
If the interviewer asks you this question, I suggest you tell the above three points, three points are at the same time to show that they differ in the use, of course, have to take their differences to the ultimate say.
PS: There was a study of the HTTP protocol went into a company interview, the interviewer asked him the question, he replied "GET is used to obtain the data, typically used to POST data to the server GET and POST nothing else. difference ", it is then brush.
Because some interviewers mind that only a "standard answer."