[development] Handling optional parameters

Yuval Hager yuval at avramzon.net
Thu Sep 25 09:10:16 UTC 2008


On Wednesday 24 September 2008, Steven Wittens wrote:
> > Also, you shouldn't be taking any action just from a GET request, or
> > you're opening yourself to CSRF (Cross site request forgery).  To
> > avoid this, you need a confirm form that uses POST to actually
> > trigger the action.
>
> This isn't really about GET vs POST, but rather about using session-
> derived tokens (which you get for free with Form API). To avoid the
> annoyance of a confirm form, you can add and verify tokens manually
> with drupal_get_token() and drupal_valid_token(). Which you should be
> doing for ajax callbacks anyway, regardless of whether they are POST
> or GET.
>
> Steven

Do I need a verification token for GET (=idempotent) calls? My impression was 
that as long nothing changes on the server (besides view counts), this token 
is not really needed. I try to avoid the practice of adding long verification 
tokens to GET URLs, since it is ugly.

--yuval
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.drupal.org/pipermail/development/attachments/20080925/98365f11/attachment.pgp 


More information about the development mailing list