4

I'm implementing some rest services. The first service I have to call according to the SDK is a http POST request to logon. The input are my user's credentials, and the output is my session id.

To logout, I also have to make a http POST request, but without any data/payload in the request body. Instead, a header field must be added the request that contains the session id.

I'm a bit torn, is this the correct design for a loggoff request, or should a GET method be used instead? More general, should a request with no input (except query paramerters and request headers) and no output be a GET, a POST, or something else? Why so or why not?

user1884155
  • 3,183
  • 2
  • 39
  • 96
  • I'd say POST. General principle, anything that causes a change in states should be in a POST not a GET. – Matthew Apr 23 '15 at 15:04

1 Answers1

4

According to RFC2616 GET is a "safe method" that

SHOULD NOT have the significance of taking an action other than retrieval

Log off, does not seem like a safe action to me so GET is not suitable.

It should therefore be a POST. No other HTTP verb seems semantically suitable.

ma499
  • 516
  • 2
  • 7