On Wednesday 24 September 2008, Steven Wittens wrote:
Also, you shouldn't be taking any action just from a GET request, or you're opening yourself to CSRF (Cross site request forgery). To avoid this, you need a confirm form that uses POST to actually trigger the action.
This isn't really about GET vs POST, but rather about using session- derived tokens (which you get for free with Form API). To avoid the annoyance of a confirm form, you can add and verify tokens manually with drupal_get_token() and drupal_valid_token(). Which you should be doing for ajax callbacks anyway, regardless of whether they are POST or GET.
Steven
Do I need a verification token for GET (=idempotent) calls? My impression was that as long nothing changes on the server (besides view counts), this token is not really needed. I try to avoid the practice of adding long verification tokens to GET URLs, since it is ugly. --yuval