C
C#3y ago
surwren

[ASP.NET] Trying to understand the [HttpGet] and [HttpPost] tags

I understand that the tag is used to provide precedence to one action method over another where same URL is matched. However, I notice that tagging a method with [Http..] invalidates access via normal <a href> links. For example, this would NOT work 
[HttpPost]
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...

<a class="btn btn-primary btn-sm" asp-action="DelLoginCookie" asp-controller="Login">Logout</a>
[HttpPost]
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...

<a class="btn btn-primary btn-sm" asp-action="DelLoginCookie" asp-controller="Login">Logout</a>
Whereas these two would work: 
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...

<a class="btn btn-primary btn-sm" asp-action="DelLoginCookie" asp-controller="Login">Logout</a>
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...

<a class="btn btn-primary btn-sm" asp-action="DelLoginCookie" asp-controller="Login">Logout</a>
    
[HttpPost]
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...
<form role="search" action="/Login/DelLoginCookie" method="POST">
        <button class="btn btn-dark" id="test2" type="submit">Logout</button>
    </form>
    
[HttpPost]
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...
<form role="search" action="/Login/DelLoginCookie" method="POST">
        <button class="btn btn-dark" id="test2" type="submit">Logout</button>
    </form>
In this case, I am wondering if it is still good practice to leave methods untagged so that they can be called via <a href> buttons? Or could this pose any security issues?
14 Replies
FroH.LVT
FroH.LVT3y ago
it depends on what you need. a + href = GET by default. In controller you mark it POST ==> Rejected your form use POST method => work
FroH.LVT
FroH.LVT3y ago
you can read more about them here : https://www.w3schools.com/tags/ref_httpmethods.asp
W3Schools offers free online tutorials, references and exercises in all the major languages of the web. Covering popular subjects like HTML, CSS, JavaScript, Python, SQL, Java, and many, many more.
surwren
surwrenOP3y ago
So it's not possible to have duplicate methods, with different tags [HttpGet]/[HttpPost]/unlabelled?
surwren
surwrenOP3y ago
Was thinking of routing to the same method but differentiating by tag, I assume this is not possible? Also, why is it that just adding a button will not call the IActionResult even with a type="submit"? 
<button asp-controller="Login" asp-action="AddLoginCookie" type="submit">Login</button>
<button asp-controller="Login" asp-action="AddLoginCookie" type="submit">Login</button>
FroH.LVT
FroH.LVT3y ago
only work in <form>. Without form button type submit is the same as other buttons
surwren
surwrenOP3y ago
So basically adding tags like <asp-controller="Login" asp-action="AddLoginCookie"> to buttons do nothing, and they can only call IActionResults if they're embedded within a form with designated action like the following? 
action="/Login/DelLoginCookie"
action="/Login/DelLoginCookie"
I'm just clarifying if I understood this correctly Is there a list of which HTTP elements are automatically considered POSTs or GETs?
FroH.LVT
FroH.LVT3y ago
I don't remember asp tag helper. You can set something like a href attribute using controller action if I'm not wrong you would use a+href or form. a+href = GET by default. you declare method in form. else use JS to make request. they are enough for me. Later you will learn FrontEnd framework. and you will use JS for most of the time
surwren
surwrenOP3y ago
but are there any HTML/CSS tags that are explicitly POSTs?
FroH.LVT
FroH.LVT3y ago
I don't know hmhm. I would use form if i want vanilla stuff. btw CSS has nothing to do with request
surwren
surwrenOP3y ago
oh, yeah, mbad how about JS? which ones are POSTs/GETs by default
FroH.LVT
FroH.LVT3y ago
It depends. Vanilla JS Fetch use GET by default. Other framework libraries may separate GET/POST into different methods to be used
Cisien
Cisien3y ago
Forms can be get or post, links are always posts, everything can be anything with enough javascript abuse
Brady Kelly
Brady Kelly3y ago
"links are always posts" - I beg to differ. A plain link is normally a GET
Cisien
Cisien3y ago
I meant gets

Did you find this page helpful?