ASP.NET form method "post" and "get"

https://forums.asp.net/t/1796310.aspx?ASP+NET+form+method+post+and+get+

GET: 
1) Data is appended to the URL(QueryString)
2) Data is not secret.(Can be seen by anyone) 
3) It is a single call system 
4) Maximum data that can be sent is 256. 
5) Data transmission is faster 
6) This is the default method for many browsers

POST: 
1) Data is not appended to the URL but sent as part of Http Body.
2) Data is Secret 
3) It is a two call system. 
4) There is no Limit on the amount of data.That is characters any amount of data can be sent. 
5) Data transmission is comparatively slow. 
6) No default and should be Explicitly specified.

https://social.technet.microsoft.com/wiki/contents/articles/11697.using-method-type-postget-in-asp-net-web-form.aspx

I  will start the article from with detailed information.

Actually form has two types of in asp.net2.0.
1) Get
2) Post

When working with Get method:

• We can access all form input variables in the next page which we mentioned in the action attribute.
• All the submitted information is displayed in the address bar as part of the URL.
• Url Which is not secured because values will be shown in address bar

When working with Post method:

• we can access the variables in the page which we mentioned in the action attribute.
• we can access those variable as shown below
• which is more secured, variable not accessible

Now we will have small application with 2 web pages

1)       default.aspx

2)       Webform.aspx

GET:

• I have given the value for action attribute is webform1.aspx in the default.aspx page with method type

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="WebApplication1._Default" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >

<head runat="server">

<title>Untitled Page</title>

</head>

<body>

<form action="webform1.aspx" method="get" >

First name: <input type="text" name="fname" /><br />

Last name: <input type="text" name="lname" /><br />

Age: <input type="text" name="age" /><br />

<input type="submit" value="Submit" />

</form>

</body>

</html>

• Variables will be available in the address bar like below .

http://localhost:50920/webform1.aspx?fname=jhon&lname=smith&age=30

• We can access the variables from the Address to Form using Request.QueryString[] like below.

protected void Page_Load(object sender, EventArgs e)

{

if (Request.QueryString["fname"] != null)

{

Response.Write("fname : " + Request.QueryString["fname"] + \n");

}

if (Request.QueryString["lname"] != null)

{

Response.Write("lname : " + Request.QueryString["lname"] + "");

}

}

POST:

• Variables will be post to the next page  using Post method type

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="WebApplication1._Default" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >

<head runat="server">

<title>Untitled Page</title>

</head>

<body>

<form action="webform1.aspx" method="post" >

First name: <input type="text" name="fname" /><br />

Last name: <input type="text" name="lname" /><br />

Age: <input type="text" name="age" /><br />

<input type="submit" value="Submit" />

</form>

</body>

</html>

• We cannot access the variables from the url.

http://localhost:50920/webform1.aspx

• We can access the variables from the request. Form [].

protected void Page_Load(object sender, EventArgs e)

{

if (Request.Form["fname"] != null)

{

Response.Write("fname : " + Request.Form["fname"] + "\n");

}

if (Request.Form["lname"] != null)

{

Response.Write("lname : " + Request.Form["lname"] + "");

}

}

https://www.w3schools.com/tags/ref_httpmethods.asp

The GET Method

Note that the query string (name/value pairs) is sent in the URL of a GET request:

/test/demo_form.php?name1=value1&name2=value2

Some other notes on GET requests:

• GET requests can be cached
• GET requests remain in the browser history
• GET requests can be bookmarked
• GET requests should never be used when dealing with sensitive data
• GET requests have length restrictions
• GET requests should be used only to retrieve data

---

The POST Method

Note that the query string (name/value pairs) is sent in the HTTP message body of a POST request:

POST /test/demo_form.php HTTP/1.1
Host: w3schools.com
name1=value1&name2=value2

Some other notes on POST requests:

• POST requests are never cached
• POST requests do not remain in the browser history
• POST requests cannot be bookmarked
• POST requests have no restrictions on data length

https://security.stackexchange.com/questions/33837/get-vs-post-which-is-more-secure

POST is more secure than GET for a couple of reasons.

GET parameters are passed via URL. This means that parameters are stored in server logs, and browser history. When using GET, it makes it very easy to alter the data being submitted the the server as well, as it is right there in the address bar to play with.

The problem when comparing security between the two is that POST may deter the casual user, but will do nothing to stop someone with malicious intent. It is very easy to fake POST requests, and shouldn't be trusted outright.

The biggest security issue with GET is not malicious intent of the end-user, but by a third party sending a link to the end-user. I cannot email you a link that will force a POST request, but I most certainly can send you a link with a malicious GET request. I.E:

Click Here for the best free movies!

Edit:

I just wanted to mention that you should probably use POST for most of your data. You would only want to use GET for parameters that should be shared with others, i.e: /viewprofile.php?id=1234, /googlemaps.php?lat=xxxxxxx&lon=xxxxxxx