C
C#2y ago
surwren

[ASP.NET] Trying to understand the [HttpGet] and [HttpPost] tags

I understand that the tag is used to provide precedence to one action method over another where same URL is matched. However, I notice that tagging a method with [Http..] invalidates access via normal <a href> links. For example, this would NOT work 
[HttpPost]
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...

<a class="btn btn-primary btn-sm" asp-action="DelLoginCookie" asp-controller="Login">Logout</a>
[HttpPost]
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...

<a class="btn btn-primary btn-sm" asp-action="DelLoginCookie" asp-controller="Login">Logout</a>
Whereas these two would work: 
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...

<a class="btn btn-primary btn-sm" asp-action="DelLoginCookie" asp-controller="Login">Logout</a>
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...

<a class="btn btn-primary btn-sm" asp-action="DelLoginCookie" asp-controller="Login">Logout</a>
    
[HttpPost]
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...
<form role="search" action="/Login/DelLoginCookie" method="POST">
        <button class="btn btn-dark" id="test2" type="submit">Logout</button>
    </form>
    
[HttpPost]
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...
<form role="search" action="/Login/DelLoginCookie" method="POST">
        <button class="btn btn-dark" id="test2" type="submit">Logout</button>
    </form>
In this case, I am wondering if it is still good practice to leave methods untagged so that they can be called via <a href> buttons? Or could this pose any security issues?
14 Replies
FroH.LVT
FroH.LVT2y ago
it depends on what you need. a + href = GET by default. In controller you mark it POST ==> Rejected your form use POST method => work
FroH.LVT
FroH.LVT2y ago
you can read more about them here : https://www.w3schools.com/tags/ref_httpmethods.asp
W3Schools offers free online tutorials, references and exercises in all the major languages of the web. Covering popular subjects like HTML, CSS, JavaScript, Python, SQL, Java, and many, many more.
surwren
surwren2y ago
So it's not possible to have duplicate methods, with different tags [HttpGet]/[HttpPost]/unlabelled?
surwren
surwren2y ago
Was thinking of routing to the same method but differentiating by tag, I assume this is not possible? Also, why is it that just adding a button will not call the IActionResult even with a type="submit"? 
<button asp-controller="Login" asp-action="AddLoginCookie" type="submit">Login</button>
<button asp-controller="Login" asp-action="AddLoginCookie" type="submit">Login</button>
FroH.LVT
FroH.LVT2y ago
only work in <form>. Without form button type submit is the same as other buttons
surwren
surwren2y ago
So basically adding tags like <asp-controller="Login" asp-action="AddLoginCookie"> to buttons do nothing, and they can only call IActionResults if they're embedded within a form with designated action like the following? 
action="/Login/DelLoginCookie"
action="/Login/DelLoginCookie"
I'm just clarifying if I understood this correctly Is there a list of which HTTP elements are automatically considered POSTs or GETs?
FroH.LVT
FroH.LVT2y ago
I don't remember asp tag helper. You can set something like a href attribute using controller action if I'm not wrong you would use a+href or form. a+href = GET by default. you declare method in form. else use JS to make request. they are enough for me. Later you will learn FrontEnd framework. and you will use JS for most of the time
surwren
surwren2y ago
but are there any HTML/CSS tags that are explicitly POSTs?
FroH.LVT
FroH.LVT2y ago
I don't know hmhm. I would use form if i want vanilla stuff. btw CSS has nothing to do with request
surwren
surwren2y ago
oh, yeah, mbad how about JS? which ones are POSTs/GETs by default
FroH.LVT
FroH.LVT2y ago
It depends. Vanilla JS Fetch use GET by default. Other framework libraries may separate GET/POST into different methods to be used
Cisien
Cisien2y ago
Forms can be get or post, links are always posts, everything can be anything with enough javascript abuse
Brady Kelly
Brady Kelly2y ago
"links are always posts" - I beg to differ. A plain link is normally a GET
Cisien
Cisien2y ago
I meant gets
Want results from more Discord servers?
Add your server
More Posts
Creating a return to page buttonI have a post info page and posts page. Now posts page can have many filters, page number and stuff,azure functions isolated processHi all, This is a niche question, but hoping somebody could enlighten me. So I’m creating an azureASP NET Core 6 Launch without Debugging doesn't block Background Service but Debug DoesHi, I'm trying to have a ASP.NET Core BackgroundService run really in background, i mean really don[ASP.NET] Middleware Stops Controller From Receiving Login RequestThese are my buttons in /Views/Login ``` <form role="search" action="/Login/AddLoginCookie" meth.NET 6 ASP.NET API [Answered]Hello, I am programming a .NET and currently I am using ```using System.ComponentModel.DataAnnotatiSomeone please figure out this sequence2, -1, 8, -4, 26, -16, 98, ...Debugger skips over a HttpClient header with no errorTitle and it also exists the function without executing what's after that header. Any ideas how to tBullet Kills Wrong EnemyIf I shoot and hit an enemy, sometimes it will kill the wrong one. For example, if i hit 'EnemyTest'Keep Model instances without RelatedModel in queryHi, how do I keep records that do not have related model value in my query? I have a query like: beginner helpHi so im new and i need to present in code this things: Defining a class, Field vs Property Calli