Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / security

C#, Web API: HTTP GET with a Request Body

4.77/5 (7 votes)
2 Dec 2014CPOL2 min read 150.2K  
C#, Web API: HTTP GET with a Request Body

Introduction

“This is impossible!!!!” GET verb can take request parameters only from the query strings (name/value pairs) and it has a limitation in length.

GET

If the URL is too long, the web server fails with the 414 Request-URI Too Long HTTP status code.

The only alternative to pass a complex object or to pass request body is using ‘POST‘.

The following table compares the two HTTP methods: GET and POST.

Comparison

GETPOST
BACK button/ReloadHarmlessData will be re-submitted (the browser should alert the user that the data are about to be re-submitted)
BookmarkedCan be bookmarkedCannot be bookmarked
CachedCan be cachedNot cached
Encoding typeapplication/x-www-form-urlencodedapplication/x-www-form-urlencoded or multipart/form-data. Use multipart encoding for binary data
HistoryParameters remain in browser historyParameters are not saved in browser history
Restrictions on data lengthYes, when sending data, the GET method adds the data to the URL; and the length of a URL is limited (maximum URL length is 2048 characters)No restrictions
Restrictions on data typeOnly ASCII characters allowedNo restrictions. Binary data is also allowed
SecurityGET is less secure compared to POST because data sent is part of the URL. Never use GET when sending passwords or other sensitive information!POST is a little safer than GET because the parameters are not stored in browser history or in web server logs
VisibilityData is visible to everyone in the URLData is not displayed in the URL

But my lead says you have to accept a complex object as part of request through HTTP GET. I know this is against the developer ethics. But I can’t do anything.

After deep thinking, I thought let me try passing this through HEADER. So what is a Header?

The information, in the form of a text record, that a user’s browser sends to a Web server containing the details of what the browser wants and will accept back from the server. The request header also contains the type, version and capabilities of the browser that is making the request so that server returns compatible data.

Upon receipt of the request header, the server will return an HTTP response header to the client that is attached to the file(s) being sent.

Solution

As my project is ASP.NET MVC Web API, here’s the solution:

C#
public  HttpResponseMessage GetProducts()
       {
           IEnumerable<string> customJsonInputString;
           if (!Request.Headers.TryGetValues("custom", out customJsonInputString))
              return new HttpResponseMessage(HttpStatusCode.BadRequest);
          var customJsonInputArray = customJsonInputString.ToArray();
          var ProductsRequest =
            Newtonsoft.Json.JsonConvert.DeserializeObject<ProductsRequest>(customJsonInputArray[0]);
          var productLogic= new ProductLogic();
          var productsResponse = productLogic.FetchProducts(ProductsRequest );
          return Request.CreateResponse(HttpStatusCode.OK, productsResponse );
       }

Sample Header

Custom is the complex object we are trying to pass as part of HTTP GET request:

User-Agent: Fiddler
content-type: application/json
accept: application/json
Host: localhost:39999
Content-Length: 1097
X-Api-Version: 2
custom: [ { "id": 2, "name": "An ice sculpture", 
"price": 12.50, "tags": ["cold", "ice"], 
"dimensions": { "length": 7.0, "width": 12.0, 
"height": 9.5 }, "warehouseLocation": 
{ "latitude": -78.75, "longitude": 20.4 } }, 
{ "id": 3, "name": "A blue mouse", 
"price": 25.50, "dimensions": { "length": 3.1, 
"width": 1.0, "height": 1.0 }, "warehouseLocation": 
{ "latitude": 54.4, "longitude": -32.7 } }]

ProductsRequest class is not shown here. Just search for JSON string to C# object. You should see tons of examples to achieve this. Give a try !!!.

Now it's time to correct my title. We aren’t actually passing any request body here, it's a small hack.

Note: This is not the right way to do this. Try to avoid using this.


Filed under: ASP.NET, C#
Tagged: ASP.NET MVC WEB API, HTTP GET, HTTP GET with a request body, Web API

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)