If your action is not idempotent, then you MUST use POST
. If you don't, you're just asking for trouble down the line. GET
, PUT
and DELETE
methods are required to be idempotent. Imagine what would happen in your application if the client was pre-fetching every possible GET
request for your service – if this would cause side effects visible to the client, then something's wrong.
I agree that sending a POST
with a query string but without a body seems odd, but I think it can be appropriate in some situations.
Think of the query part of a URL as a command to the resource to limit the scope of the current request. Typically, query strings are used to sort or filter a GET
request (like ?page=1&sort=title
) but I suppose it makes sense on a POST
to also limit the scope (perhaps like ?action=delete&id=5
).
One possible solution uses JavaScript on the client.
The client algorithm:
- Generate a random unique token.
- Submit the download request, and include the token in a GET/POST field.
- Show the "waiting" indicator.
- Start a timer, and every second or so, look for a cookie named "fileDownloadToken" (or whatever you decide).
- If the cookie exists, and its value matches the token, hide the "waiting" indicator.
The server algorithm:
- Look for the GET/POST field in the request.
- If it has a non-empty value, drop a cookie (e.g. "fileDownloadToken"), and set its value to the token's value.
Client source code (JavaScript):
function getCookie( name ) {
var parts = document.cookie.split(name + "=");
if (parts.length == 2) return parts.pop().split(";").shift();
}
function expireCookie( cName ) {
document.cookie =
encodeURIComponent(cName) + "=deleted; expires=" + new Date( 0 ).toUTCString();
}
function setCursor( docStyle, buttonStyle ) {
document.getElementById( "doc" ).style.cursor = docStyle;
document.getElementById( "button-id" ).style.cursor = buttonStyle;
}
function setFormToken() {
var downloadToken = new Date().getTime();
document.getElementById( "downloadToken" ).value = downloadToken;
return downloadToken;
}
var downloadTimer;
var attempts = 30;
// Prevents double-submits by waiting for a cookie from the server.
function blockResubmit() {
var downloadToken = setFormToken();
setCursor( "wait", "wait" );
downloadTimer = window.setInterval( function() {
var token = getCookie( "downloadToken" );
if( (token == downloadToken) || (attempts == 0) ) {
unblockSubmit();
}
attempts--;
}, 1000 );
}
function unblockSubmit() {
setCursor( "auto", "pointer" );
window.clearInterval( downloadTimer );
expireCookie( "downloadToken" );
attempts = 30;
}
Example server code (PHP):
$TOKEN = "downloadToken";
// Sets a cookie so that when the download begins the browser can
// unblock the submit button (thus helping to prevent multiple clicks).
// The false parameter allows the cookie to be exposed to JavaScript.
$this->setCookieToken( $TOKEN, $_GET[ $TOKEN ], false );
$result = $this->sendFile();
Where:
public function setCookieToken(
$cookieName, $cookieValue, $httpOnly = true, $secure = false ) {
// See: http://stackoverflow.com/a/1459794/59087
// See: http://shiflett.org/blog/2006/mar/server-name-versus-http-host
// See: http://stackoverflow.com/a/3290474/59087
setcookie(
$cookieName,
$cookieValue,
2147483647, // expires January 1, 2038
"/", // your path
$_SERVER["HTTP_HOST"], // your domain
$secure, // Use true over HTTPS
$httpOnly // Set true for $AUTH_COOKIE_NAME
);
}
Best Answer
Create POST URLRequest and use it to fill webView