How should I choose between GET and POST methods in HTML forms?

Question

I wish to know all the pros and cons about using these two methods. In particular the implications on web security.

Thanks.

Answer 1

In addition to the fine answers from e.g. Micke, I want to point out an important difference in how browser interfaces handle pages requested with GET vs. POST.

If you reload a GET-requested page, the browser will just fetch the URL again (from the server or from cache), However if you reload a POST, the browser will show a slightly confusing warning popup about reposting data, which the user may then cancel (leading to an even more confusing "expired" page). Same thing if you use back or history to return to a page which is the result of a POST.

This is of course based on the different semantics: GET-requests are supposed to be idempotent - i.e, you can do it several times without changing anything. POSTs on the other hand are for actions with side effects, like signing up for something, bying something, posting a comment on forum. Typically the user dont expect to repeat this action when reloading, so the warning is sensible. However, avoid to use POST if the action is safely repeatable (like a search), since the warning is not necessary and would just be a confusing to the user.

A point regarding security: If you have a password field in a GET-form the password will get masked for prying eyes when you type it in, however, it will be plainly visible in the address bar when you hit submit! But apart from that, there is no real security in either GET and POST, so use SSL if that is a concern.