[Zope-dev] RFC 2616, side effects, and idempotence (was: Last-Modified....)
Oliver Bleutgen
myzope@gmx.net
Tue, 18 Jun 2002 16:53:58 +0200
R. David Murray wrote:
> On Tue, 18 Jun 2002, Oliver Bleutgen wrote:
>
>>Toby Dickenson wrote:
>>
>>>> Rendering may produce side effects. But "HEAD" requests
>>>> are required by HTTP not to have side effects.
>>>
>>>RFC 2616 section 9.4 states that "HEAD" is identical to "GET" in this respect,
>>>and both should have no side effects.
>>
First, your quoting is wrong, I didn't write that - talk about
precisionist *g*.
> This bugged me the first time this discussion went around, and I
> feel impelled to clearify it now, even though it is a little
> tangential to the core of the discussion. I guess I'm just a
> precisionist when it comes to terminology <grin>.
>
> The RFC does *NOT* say that GET and HEAD must have no side effects.
> That is just the simplist implementation of what it *dees* say,
> which is that GET and HEAD must be "idempotent". When Tim (I think it
> was) mentioned this in the first round of this disucssion, I had to look
> it up even though it is a good math term and I was a math major.
This doesn't cover everything.
First, you're right, the RFC indeed doesn't say MUST anywhere concerning
the areas we are talking about. This is important. Zope does not violate
the RFC.
But, the RFC introduces two, let's say attributes to methods.
One is idempotent, which is described in 9.1.2 which you righlty refer to.
But, there's also the attribute safe, which is described in 9.1.1:
9.1.1 Safe Methods
Implementors should be aware that the software represents the user
in their interactions over the Internet, and should be careful to
allow the user to be aware of any actions they might take which may
have an unexpected significance to themselves or others.
In particular, the convention has been established that the GET and
HEAD methods SHOULD NOT have the significance of taking an action
other than retrieval. These methods ought to be considered "safe".
This allows user agents to represent other methods, such as POST,
PUT and DELETE, in a special way, so that the user is made aware of
the fact that a possibly unsafe action is being requested.
Naturally, it is not possible to ensure that the server does not
generate side-effects as a result of performing a GET request; in
fact, some dynamic resources consider that a feature. The important
distinction here is that the user did not request the side-effects,
so therefore cannot be held accountable for them.
Which is IMO exactly what we were talking about in that thread.
>
> So it seems to me that some of the concern I have seen in Zope code
> with avoiding "write on read", where a GET request would otherwise
> trigger the one-time initialization of something in the database,
> is misplaced if the concern that motivates it is adhering to this
> spec. There may well be other reasons to wish to avoid idempotent
> write-on-read (although I haven't thought of any yet), but RFC 2616
> isn't one of them.
Perhaps it is. I don't know the areas of the code where you have seen
that, but it might be inspired not by the problem of idempotence, but of
"safeness"
> PS: somehow, I don't think the spec writers thought
> much about hit counters...
Lol, I think so too.
cheers,
oliver