Skip to content
July 18, 2011 / pauldundon

Unexpected GET Requests

The problem: You have a website which works fine in a test environment but experiences unexpected GET requests when running in a production environment. These requests may be causing problems in your application if, for example, you are using IsPostback to determine whether or not to initialise session state.

The cause: The HTTP specification recommends that GET requests are safe, ie, do not cause changes of state on the server. Specifically, the specification requires that clients can assume that GET requests are safe and that they are not responsible for any side-effects. In some network architectures, intermediaries (eg caching proxies) will make independent GET requests as part of their operation. For example, a client might request index.aspx and an intermediary make the same request a few seconds later. Importantly, the intermediary may use the same session identifier (cookie or URL) as the client.

Another possible cause will show a problem if you are using Chrome or Safari but not IE or Firefox. If your HTML contains an <img> tag with an empty src attribute, IE and FF will do nothing, but Chrome and Safari will resolve the source URL to the URL of the page hosting the image. This will generate a GET request for the page.

The solution: Although it isn’t practical to screen out requests of this kind, it is generally possible and desirable to make your handling of GET requests safe. For example, consider moving session state to view state or initialising it the first time it is read.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: