httphttp-method

Should a logoff request be designed as GET or POST?


I'm implementing some rest services. The first service I have to call according to the SDK is a http POST request to logon. The input are my user's credentials, and the output is my session id.

To logout, I also have to make a http POST request, but without any data/payload in the request body. Instead, a header field must be added the request that contains the session id.

I'm a bit torn, is this the correct design for a loggoff request, or should a GET method be used instead? More general, should a request with no input (except query paramerters and request headers) and no output be a GET, a POST, or something else? Why so or why not?


Solution

  • According to RFC2616 GET is a "safe method" that

    SHOULD NOT have the significance of taking an action other than retrieval

    Log off, does not seem like a safe action to me so GET is not suitable.

    It should therefore be a POST. No other HTTP verb seems semantically suitable.