Pages: [1] :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
TornSoul
BIG Gentlemen's Agreement
0
|
Posted - 2011.04.07 20:45:00 -
[1] - Quote
"All parameters needed by the API are sent over HTTP, either by POST (preferred) or GET" (linky)
Never really worried much about the difference of doing POST or GET, but it bit me the other day.
And it leaves me with the question of "Why" - is POST _prefered_ ???
If anything it ought to be the other way around (imo anyhow).
Any dev's care to elaborate?
|
Desmont McCallock
9
|
Posted - 2011.04.07 21:01:00 -
[2] - Quote
Methods GET and POST in HTML forms - what's the difference? |
Mikk36
E-x7 Network Saints Amongst Sinners
5
|
Posted - 2011.04.07 21:13:00 -
[3] - Quote
Since we're asking for data from the API, shouldn't GET be preferred then? |
TornSoul
BIG Gentlemen's Agreement
0
|
Posted - 2011.04.07 21:19:00 -
[4] - Quote
Mikk36 wrote:Since we're asking for data from the API, shouldn't GET be preferred then?
@Desmont McCallock I'm aware of the difference between POST and GET (That's not what the question is about)
@Mikk36 Exactly my thinking as well - Hence why I got wondering about the statement of POST being preferred...
It seems odd - And at the top of my head I can't think of any technical reason for the recommendation. |
Hel O'Ween
Men On A Mission
0
|
Posted - 2011.04.07 22:12:00 -
[5] - Quote
TornSoul wrote:Mikk36 wrote:Since we're asking for data from the API, shouldn't GET be preferred then? @Desmont McCallock I'm aware of the difference between POST and GET (That's not what the question is about) @Mikk36 Exactly my thinking as well - Hence why I got wondering about the statement of POST being preferred... It seems odd - And at the top of my head I can't think of any technical reason for the recommendation.
It's in the page linked above and you quoted:
Quote: Note - The URL encoding may result in very long URIs, which cause some historical HTTP server implementations to exhibit defective behavior. As a result, some HTML forms are written using METHOD=POST even though the form submission has no side-effects.
The limitations are not only historical. There is an official statement by Microsoft, originally published 2000-02-23: INFO: Maximum URL Length Is 2,083 Characters in Internet Explorer (Q208427).
We're nowhere near such a limit, but better be safe than sorry, I guess. Also, as mentioned on that page non-ASCII characters need to be encoded in a GET requested. While I'm not aware that those are present yet, the time may come where the API allows/needs such stuff. using POST in the first place circumvents the need for encoding (an saves the developer from those "Darn! I forgot about that"-moments) |
dexington
Baconoration
22
|
Posted - 2011.04.08 01:32:00 -
[6] - Quote
Maybe the web cache they use for the api is more optimized to handle post data, but i don't think it really matters what you use.
There could also be a minor security problem if someone decides to send GET commands using links in a browser, they could end up saved in the browser history, which could compromise the security of you api key. |
Dragonaire
Corax. Everto Rex Regis
3
|
Posted - 2011.04.08 04:11:00 -
[7] - Quote
Another reason POST would be considered better is that with GET even when using https since the information needed to access your info like the ApiKey etc is in the clear as part of the URL before encryption is started all anyone has to do is intercept the first packet or two you sent and they can make their own connection and get your XML data themselves since you already supplied them with the info they need in the URL itself. With POST the connection is already in an encrypted state before your ApiKey etc are sent to the API servers so they are not exposed to everyone. |
dexington
Baconoration
22
|
Posted - 2011.04.08 04:48:00 -
[8] - Quote
Dragonaire wrote:Another reason POST would be considered better is that with GET even when using https since the information needed to access your info like the ApiKey etc is in the clear as part of the URL before encryption is started all anyone has to do is intercept the first packet or two you sent and they can make their own connection and get your XML data themselves since you already supplied them with the info they need in the URL itself. With POST the connection is already in an encrypted state before your ApiKey etc are sent to the API servers so they are not exposed to everyone.
The don't sound right, SSL has nothing to do with HTTP, the full encrypted connection should be established before you are able to use either the post or get command. |
Xander Hunt
Dead Rats Tell No Tales
0
|
Posted - 2011.04.08 06:56:00 -
[9] - Quote
dexington wrote:Dragonaire wrote:Another reason POST would be considered better is that with GET even when using https since the information needed to access your info like the ApiKey etc is in the clear as part of the URL before encryption is started all anyone has to do is intercept the first packet or two you sent and they can make their own connection and get your XML data themselves since you already supplied them with the info they need in the URL itself. With POST the connection is already in an encrypted state before your ApiKey etc are sent to the API servers so they are not exposed to everyone. The don't sound right, SSL has nothing to do with HTTP, the full encrypted connection should be established before you are able to use either the post or get command.
Not exactly.
If you make the request with the API info in the URL, you're not sending encrypted data insofar as what the URL contains. The exchange of data once the connection has been established, such as the XML data being fed back to you, IS encrypted. If you send the data via the POST, the POST data gets processed after the handshake occurs.
At the server side of things, your data is encrypted by the HTTP processor, then whatever language beneath the HTTP processor (PHP/ASP/etc) processes your data in clear text.
Edit: Basically what I'm saying is the initial URL call (http://api.eveonline.com/corp/wallet.aspx.xml&charid=12345&api=431451nasd&etc) the charid and api and etc can be sniffed at initial call. |
Harry Pearce
The Intel Project
1
|
Posted - 2011.04.08 07:26:00 -
[10] - Quote
I thought the initial SSL handshake and setup happened before the request containing the url gets set, i.e. connect to port 443 -> set up SSL -> send 'GET /secret/url/with/personal/details' -> receive data |
|
Lutz Major
0
|
Posted - 2011.04.08 07:42:00 -
[11] - Quote
Xander Hunt wrote: Not exactly.
If you make the request with the API info in the URL, you're not sending encrypted data insofar as what the URL contains. The exchange of data once the connection has been established, such as the XML data being fed back to you, IS encrypted. If you send the data via the POST, the POST data gets processed after the handshake occurs.
At the server side of things, your data is encrypted by the HTTP processor, then whatever language beneath the HTTP processor (PHP/ASP/etc) processes your data in clear text.
Edit: Basically what I'm saying is the initial URL call (http://api.eveonline.com/corp/wallet.aspx.xml&charid=12345&api=431451nasd&etc) the charid and api and etc can be sniffed at initial call.
The SSL layer is below the HTTP layer, so therefor the encrypted connection must exist already, when your browser transfers the data ... regardless of GET or POST. |
TornSoul
BIG Gentlemen's Agreement
0
|
Posted - 2011.04.08 08:55:00 -
[12] - Quote
Some interesting observations.
However it still misses the point (that I'm trying to find an answer for) All of the above discusses why it would be in *our* best interest to use either GET/POST (forgetting to encode, security etc).
But why would *CCP* prefer we use POST over GET?
Maybe I'm just reading too much into the wording - But "preferred" indicates to me that *CCP* would prefer us to use POST. - While had they used "recommended" it would indicate it would probably be in *our* best interest to use POST.
And that's pretty much what spurred my "idle question" - Why on earth would CCP prefer we used POST. Why does using POST over GET "help" CCP - To the extend they would prefer we use POST.
|
Mikk36
E-x7 Network Saints Amongst Sinners
5
|
Posted - 2011.04.08 09:59:00 -
[13] - Quote
I guess this would propably be the time to note that eve-id is not the source of official CCP statements? |
Hel O'Ween
Men On A Mission
0
|
Posted - 2011.04.08 11:06:00 -
[14] - Quote
Mikk36 wrote:I guess this would propably be the time to note that eve-id is not the source of official CCP statements?
You're right. But I remember reading the "use POST over GET" part somewhere on CCP's official (sparse) API pages back when I first looked at the API. So EVE-ID.NET just mirrors that.
BTW, I remember that this question ("What should we use? GET or POST") came up in the one of the API devs track at the FanFest and PrismX answered (paraphrased) "Doesn't really matter, we don't care."
But, pst! - I haven't told you that.
|
Xander Hunt
Dead Rats Tell No Tales
0
|
Posted - 2011.04.08 11:12:00 -
[15] - Quote
Lutz Major wrote: The SSL layer is below the HTTP layer, so therefor the encrypted connection must exist already, when your browser transfers the data ... regardless of GET or POST.
That would mean that the browser would have to connect to the server based on the domain (api.eveonline.com) and obtain/exchange the keys for proper data exchange, then make the calls accordingly.
And according to the big grey block at the bottom of the page at http://www.ourshop.com/resources/ssl_step1.html I am indeed incorrect.
TornSoul wrote: And that's pretty much what spurred my "idle question" - Why on earth would CCP prefer we used POST. Why does using POST over GET "help" CCP - To the extend they would prefer we use POST.
The only thing that I can come up with is that I don't think the API was always an encrypted transaction, so to make things a bit more tricky, and things couldn't be read from a URL, they suggested that this kind of information be passed as a POST (Since it isn't passed in as part of the URL). Anyone determined enough though could get that info. |
Catari Taga
Centre Of Attention Middle of Nowhere
222
|
Posted - 2011.04.08 12:16:00 -
[16] - Quote
Mikk36 wrote:I guess this would propably be the time to note that eve-id is not the source of official CCP statements?
Much of the API documentation at http://wiki.eve-id.net was actually originally written by CCP Garthak, the guy who created the API at CCP, or copied from his posts and dev blogs (which do mention HTTP POST, might be the API was originally POST only, but that was before my time). The API doc at EVElopedia states that you have to use POST (http://wiki.eveonline.com/en/wiki/EVE_API_Functions).
In the end it does not matter since the server handles both, but due to URL length limitations it makes sense to use POST by default (and if you do not connect via SSL, then also if you do not want your API data written into logs). CCP themselves have been using HTTP GET links to access your API data on the "My Character" part of the eve-o website for as long as I remember.
PS: I went and changed the HTTP POST (preferred) to a HTTP POST (recommended) on the eve-dev wiki in the hope of preventing further confusion. |
dexington
Baconoration
22
|
Posted - 2011.04.08 13:10:00 -
[17] - Quote
Xander Hunt wrote:Lutz Major wrote: The SSL layer is below the HTTP layer, so therefor the encrypted connection must exist already, when your browser transfers the data ... regardless of GET or POST.
That would mean that the browser would have to connect to the server based on the domain (api.eveonline.com) and obtain/exchange the keys for proper data exchange, then make the calls accordingly. And according to the big grey block at the bottom of the page at http://www.ourshop.com/resources/ssl_step1.html I am indeed incorrect.
The way HTTPS works, when using a browser, is that you tell the browser to use the https protocol and not the http, eg. https://www.x.com.
What this does it to tell the browser is needs to connect to port 443, and not 80. When the browser connects to 443, the server is going to request the connect be made using secure sockets, which is protocol implemented on a lower level then the http protocol. Unless the secure connection is in place you can not send or request any data from the server using that port.
The only way you someone would be able to intercept the get command, is if the http port (80) is used to redirect the browser to the https port. This is not impossible, but it would require some stupidity on behalf on either the server/client programmer or the client user.
Quote:Theoretically SSL can transparently secure any TCP-based protocol running on any port if both sides know the other side is using SSL. However, in practice, separate port numbers have been reserved for each protocol commonly secured by SSL -- this allows packet filtering firewalls to allow such secure traffic through. |
TornSoul
BIG Gentlemen's Agreement
0
|
Posted - 2011.04.08 14:11:00 -
[18] - Quote
Catari Taga wrote:PS: I went and changed the HTTP POST (preferred) to a HTTP POST (recommended) on the eve-dev wiki in the hope of preventing further confusion.
Hehe - That's one way of dealing with it I suppose
But at least the thread (to me) has confirmed that the "preferred" bit indeed is not technically justified.
|
Dragonaire
Corax. Everto Rex Regis
3
|
Posted - 2011.04.08 14:32:00 -
[19] - Quote
As pointed out above I wasn't think about which level the actual connection is made so both GET and POST would be encrypted I know I start using POST in Yapeal because it is better for privacy when using http where the info is more exposed plus I liked the cleaner URLs but I often use GET during testing because it does make figuring out what's going wrong easier at times. Also as pointed out above there are some limits on length for URLs which generally you don't have to worry about at least with the Eve APIs. In the end it comes down to which you as a developer prefers to use and we'll probably see now that the APIs are done over https more people using GET since it's very easy to build them manually putting a few strings together vs actually learning how to take use all the extra stuff usually need in most programming languages to use POST . |
Catari Taga
Centre Of Attention Middle of Nowhere
222
|
Posted - 2011.04.08 14:40:00 -
[20] - Quote
Dragonaire wrote:Also as pointed out above there are some limits on length for URLs which generally you don't have to worry about at least with the Eve APIs. There's quite a few APIs that can run over the URL length limit because they can take a list of parameters, e.g. if you want to resolve names on a killmail with a lot of involved pilots that will not fit into one call if you use GET. |
|
|
|
|
Pages: [1] :: one page |
First page | Previous page | Next page | Last page |