An understanding misunderstanding about the maximum parameter length of HTTP get/post request

1. Get method Length limit

There is no limit to the length of data submitted by the HTTP GET method, and the HTTP protocol specification does not limit the URL length. This restriction is restricted to specific browsers and servers.

For example, ie the limit for URL length is 2083 bytes (2k+35).

The following is a description of the maximum processing power of various browsers and servers.

Microsoft Internet Explorer (Browser)

Internet Explorer has a maximum URL limit of 2,083 characters, and if this number is exceeded, the submit button has no response.
Firefox (Browser)

The URL for the Firefox browser is limited to a length of 65,536 characters.

Safari (Browser)

The maximum URL length is limited to 80,000 characters.

Opera (Browser)

The maximum URL length is limited to 190,000 characters.

Google (Chrome)

The maximum URL length is limited to 8,182 characters.

Apache (Server)

Can accept a maximum URL length of 8,192 characters.

Microsoft Internet Information Server (IIS)

The maximum URL that can be accepted is 16,384 characters long.

Through the above data, in order to allow all users to browse, the URL is best not to exceed the maximum length of IE limit (2,083 characters), of course, if the URL is not directly provided to the user, but rather to the program call, the length is only affected by the Web server.

Note: For the transfer of Chinese, the end will be urlencode after the encoding form of transmission, if the browser encoding is UTF8, a Chinese character after the final encoding of the length of 9 characters.

Therefore, if you use the GET method, the maximum length is equal to the maximum URL length minus the number of characters in the actual path.

2. Post method length limit

In theory, there is no size limit to post. The HTTP protocol specification does not have a size limit, and the processing power of the server's handlers is limited.

such as: Remove the post size limit under Tomcat (tomcat default 2M);

Open the Conf directory under the Tomcat directory, open the Server.xml file, modify

<connector <= "" p= "" style= "Word-wrap:break-word;" >

debug= "0"

acceptcount= "100"

connectiontimeout= "20000"

Disableuploadtimeout= "true"

port= "8080"

Redirectport= "8443"

Enablelookups= "false"

Minsparethreads= "25"

maxsparethreads= "75"

Maxthreads= "150"

Maxpostsize= "0"

Uriencoding= "GBK"

>

Add the Red font section maxpostsize= "0" (set to 0 is the size limit of the Cancel post)

I just saw a classmate in the group. The Get request parameter length under the HTTP protocol is limited in size and cannot exceed

XX, and Post is unrestricted, see here, I think they're going to see a lot more baseless assertion blogs or books,

Lead to an understanding of the misunderstanding:

1, first, even if there is a length limit, is also limited to the entire length of the URI, and not just your parameter value data length.

2, the HTTP protocol has never specified the Get/post request length limit is how much.

The

HTTP protocol does not place any a priori limit on the length of a URI. Servers must is able to handle the URI of any resource they serve, and should is able to handle URIs of unbounded length I F They provide get-based forms that could generate such URIs. A server should return 414 (Request-uri Too Long) status if a URI is longer than the server can handle (see section 10.4.1 5).

Note:servers ought to being cautious about depending on URI lengths above 255 bytes, because some older client or proxy Implementations might not properly support these lengths.

3, the so-called request length limit is determined and set by the browser and Web server, a variety of browser and Web server settings

are different, depending on the requirements of each browser manufacturer or can be set according to the processing power of the Web server.

the limit is in MSIE and Safari about 2KB, in Opera about 4KB and in Firefox a Bout 8KB, (255 bytes If we count very old browsers)  . We may thus assume that 8KB are the maximum possible length and that 2KB are a more affordable length to rely on at the Serv Er side and that 255 bytes are the safest length to assume that the entire URL would come in.

if the limit is exceeded on either the browser or the server, most would just T Runcate the characters outside the limit without any warning. Some servers however may send a HTTP 414 error. If you need to send large data and then better use POST instead of GET. Its limit was much higher, but more dependent on the server used than the client. Usually up to around 2GB are allowed by the average webserver. This is also configureable somewhere in the server settings. The average server would display a server-specific error/exception when the POST limit is exceeded, usually as HTTP-err Or.

http 1.1 defines Status Code 414 Request-uri Too Long for the cases where a SE Rver-defined limit is reached. You can see the further details on RFC 2616. For the case of client-defined limits, there are no sense on the server returning something, because the server won ' t recei ve the request at all.

The

server is refusing to service the request because the Request-uri are longer than the server is willing to interpre T. This rare condition was only likely to occur when a client had improperly converted a POST request to a GET request with Long query information, when the client had descended into a uri "black hole" of redirection (e.g., a redirected URI pref IX, points to a suffix of itself), or when the server was under attack by a client attempting to exploit security holes Present in some servers using fixed-length buffers for reading or manipulating the Request-uri.

Attach GET VS POST:

1, most browsers for post with two stages to send data, first send the request header, and then send the request body, even if the parameters are less and shorter, will be divided into two steps to send (relative to get), that is, the first step to send header data, the second step to send the body part. HTTP is the protocol of the application layer, and in some cases TCP will have two links in the Transport layer, the HTTP protocol itself does not save the state information, one request once response. For TCP, the more traffic you have, the lower it is, the more reliable it is to be able to transmit the required messages in a single connection, and use GET requests to reduce network time-consuming attempts. If the communication time increases, this period of time the client and the server side remain connected, the load on the server side may increase, reliability will decrease.

Tips: For this You can refer to: Yahoo website performance Optimization Guide of the server Chapter

http://segmentfault.com/a/1190000000353790

Http://developer.yahoo.com/performance/rules.html

HTTP://BLOGREAD.CN/IT/ARTICLE/6100?F=WB The YSlow rule, why does Yahoo recommend get instead of post?

The above article describes the Wireshark capture package verification post two times, get the whole process of a contract, recommended reading.

2, GET request can be Cache,get request can be saved in the browser's browsing history (password and other important data get submitted, others view history, you can directly see these private data) post does not cache.

3. The get parameter is taken after the URL, the maximum usable length of the URL in traditional IE is 2048 characters, and the other browsers differ on the URL length limitation implementation. There is no length limit for post requests (this is theoretically the case).

4, get submitted data size, different browser restrictions, generally between 2k-8k, POST submission data is larger, size by the server's set value limit, and some data can only be used POST method "carry", such as file.

5, all with post is not very reasonable, it is best to first put the request according to the function and scene class, the data request is frequent, the data is not sensitive and the amount of data in the normal browser minimum 2k range, such a situation using get. Other places use post.

6, the essence of Get is "get", and the essence of POST is "give". Also, get is "idempotent", and at this point, get is considered "safe". In fact, the server side can also be used as a resource update, but this usage violates the Convention and easily causes CSRF (cross-site request forgery).

REF:

Maximum length of HTTP GET request?

Http://stackoverflow.com/questions/2659952/maximum-length-of-http-get-request

http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.15 Request-uri Too Long

http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 General Syntax

Http://www.cnblogs.com/xiaotaomaomao/articles/986070.html

Http://www.cnblogs.com/TankXiao/archive/2012/02/13/2342672.html HTTP protocol Detailed

Post mode compared to get security, carry more data, I am ready to post all the data to obtain, so good?

http://segmentfault.com/q/1010000000213082

http://www.cnblogs.com/hyddd/archive/2009/04/09/1432744.html on CSRF attack mode

An understanding misunderstanding about the maximum parameter length of HTTP get/post request