C#•4y ago

[ASP.NET] Trying to understand the [HttpGet] and [HttpPost] tags

I understand that the tag is used to provide precedence to one action method over another where same URL is matched.

However, I notice that tagging a method with [Http..] invalidates access via normal <a href> links.

For example, this would NOT work

[HttpPost]
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...

<a class="btn btn-primary btn-sm" asp-action="DelLoginCookie" asp-controller="Login">Logout</a>

[HttpPost]
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...

<a class="btn btn-primary btn-sm" asp-action="DelLoginCookie" asp-controller="Login">Logout</a>

[HttpPost]
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...

<a class="btn btn-primary btn-sm" asp-action="DelLoginCookie" asp-controller="Login">Logout</a>

[HttpPost]
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...

<a class="btn btn-primary btn-sm" asp-action="DelLoginCookie" asp-controller="Login">Logout</a>

Whereas these two would work:

        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...

<a class="btn btn-primary btn-sm" asp-action="DelLoginCookie" asp-controller="Login">Logout</a>

        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...

<a class="btn btn-primary btn-sm" asp-action="DelLoginCookie" asp-controller="Login">Logout</a>

        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...

<a class="btn btn-primary btn-sm" asp-action="DelLoginCookie" asp-controller="Login">Logout</a>

        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...

<a class="btn btn-primary btn-sm" asp-action="DelLoginCookie" asp-controller="Login">Logout</a>

[HttpPost]
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...
<form role="search" action="/Login/DelLoginCookie" method="POST">
        <button class="btn btn-dark" id="test2" type="submit">Logout</button>
    </form>

[HttpPost]
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...
<form role="search" action="/Login/DelLoginCookie" method="POST">
        <button class="btn btn-dark" id="test2" type="submit">Logout</button>
    </form>

[HttpPost]
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...
<form role="search" action="/Login/DelLoginCookie" method="POST">
        <button class="btn btn-dark" id="test2" type="submit">Logout</button>
    </form>

[HttpPost]
        public IActionResult DelLoginCookie()
        {
            Response.Cookies.Delete("sessionId");

            return Redirect(Request.Headers["Referer"].ToString());
        }

...
<form role="search" action="/Login/DelLoginCookie" method="POST">
        <button class="btn btn-dark" id="test2" type="submit">Logout</button>
    </form>

In this case, I am wondering if it is still good practice to leave methods untagged so that they can be called via <a href> buttons? Or could this pose any security issues?

FroH.LVT•10/24/22, 9:09 AM

it depends on what you need.

FroH.LVT•10/24/22, 9:09 AM

a + href = GET by default. In controller you mark it POST ==> Rejected

FroH.LVT•10/24/22, 9:10 AM

your form use POST method => work

FroH.LVT•10/24/22, 9:10 AM

you can read more about them here : https://www.w3schools.com/tags/ref_httpmethods.asp

W3Schools offers free online tutorials, references and exercises in all the major languages of the web. Covering popular subjects like HTML, CSS, JavaScript, Python, SQL, Java, and many, many more.

surwrenOP•10/25/22, 12:05 AM

So it's not possible to have duplicate methods, with different tags [HttpGet]/[HttpPost]/unlabelled?

surwrenOP•10/25/22, 12:06 AM

Was thinking of routing to the same method but differentiating by tag, I assume this is not possible?

FFroH.LVT it depends on what you need.

surwrenOP•10/25/22, 12:27 AM

Also, why is it that just adding a button will not call the IActionResult even with a type="submit"?

<button asp-controller="Login" asp-action="AddLoginCookie" type="submit">Login</button>

<button asp-controller="Login" asp-action="AddLoginCookie" type="submit">Login</button>

FroH.LVT•10/25/22, 12:43 AM

only work in <form>. Without form button type submit is the same as other buttons

FFroH.LVT only work in <form>. Without form button type submit is the same as other button...

surwrenOP•10/25/22, 12:45 AM

So basically adding tags like <asp-controller="Login" asp-action="AddLoginCookie"> to buttons do nothing, and they can only call IActionResults if they're embedded within a form with designated action like the following?