So we have [HttpPost], which is an optional attribute. I understand this restricts the call so it can only be made by an HTTP POST request. My question is why would I want to do this?
Asked
Active
Viewed 9.7k times
4 Answers
63
Imagine the following:
[HttpGet]
public ActionResult Edit(int id) { ... }
[HttpPost]
public ActionResult Edit(MyEditViewModel myEditViewModel) { ... }
This wouldn't be possible unless the ActionMethodSelectorAttributes HttpGet and HttpPost where used.
This makes it really simple to create an edit view. All the action links just points right back to the controller. If the view model validates false, you just pop right back to the edit view again.
I will be bold and say this is best practice when it comes to CRUDish things in ASP.NET MVC.
EDIT:
@TheLight asked what was needed in the view to accomplish the post. It's simply just a form with method POST.
Using Razor, this would look something like this.
@using (Html.BeginForm())
{
<input type="text" placeholder="Enter email" name="email" />
<input type="submit" value="Sign Up" />
}
This renders the following HTML:
<form action="/MyController/Edit" method="post">
<input type="text" name="email" placeholder="Enter email">
<input type="submit" value="Sign Up">
</form>
When the form is submitted, it will perform an Http Post request to the controller. The action with the HttpPost attribute will handle the request.
Mikael Östberg
- 16,982
- 6
- 61
- 79
-
1Hi Mikael, I like your answer but I see a small correction. HttpGet and HttpPost are not ActionFilters but they are ActionSelectors. As the name, ActionSelectors are different from ActionFilters. If you see the source code both HttpGet and HttpPost, they derives from ActionMethodSelectorAttribute which is directly derived from Attribute. Can you replace the word ActionFilters into ActionSelectors? – VJAI Jan 10 '13 at 10:08
-
What should be written on the view to post to this action? – The Light Feb 26 '13 at 10:03
10
Its so you can have multiple Actions that use the same name, you can use the HttpPost attribute to mark which method gets handled on a Post request like so:
public ActionResult ContactUs()
{
return View();
}
[HttpPost]
public ActionResult ContactUs(ContactUsModel model)
{
//do something with model
return View();
}
Chris Almond
- 577
- 3
- 6
-
3Perhaps it would be a good idea to note that POST requests have the potential to alter the state of the database or modify the internal data of the website in some way. That is the reason for which web crawlers never follow such URLs. – vbocan Mar 17 '11 at 05:38
-
1I do not think the today's crawlers give a damn about altering one's database or modifying internal data. If the crawlers can find their way through a post request handler successfully, that is insuffient – Ε Г И І И О Mar 16 '12 at 06:55
-
- validation on the server side I would say. Why crawlers do not actively follow the post requests is because there are endless number of request permutations and in most cases they are protected using Captcha or the like. – Ε Г И І И О Mar 16 '12 at 07:01
10
As far as best practices for HttpGet and HttpPost, it is good practice in any web development to use HttpPost for Creates, Updates, and Deletes (data modification). Post is good because they require a form submission, which prevents users from clicking poisoned links(e.g. [https://www.example.com/Delete/1]) in emails, social sites, etc. and changing data inadvertently. If you are basically just Reading data HttpGet works great.
See OWASP for more in-depth security considerations and why the validation token increases security.
Paul Syfrett
- 708
- 9
- 12
2
This is mainly so that you can have two Actions with the same name, one which is used on GETs and perhaps displays a form for user entry and the other being used on POSTs when the user submits the form displayed by the original GET. If the Actions are not differentiated in this way, an error will occur due to being unable to resolve which Action is intended to handle the request.
Adam Price
- 10,027
- 1
- 20
- 16