Is it okay to set a cookie with a HTTP GET request?

Question

This might be a bit of an ethical question, but I'm having quite a discussion in the office about the following issue:

Is it okay to set a cookie with a HTTP GET request? Because whenever a HTTP request changes something in the application, you should use a POST request. HTTP GET should only be used to retrieve data identified by the Request-URI.

In this case, the application doesn't change, but because the cookie is altered, the user might get a different experience when the page loads again, meaning that the HTTP GET request changed the application behaviour (nothing changed server-side though).

Get request reference

The discussion started because we want to use a normal anchor element to set a cookie.

Answer 1

The problem with GETs, especially if they are on an a tag, is when they get spidered by the likes of Google.

In your case, you'd needlessly be creating cookies that will, more than likely, never get used.

I'd also argue that the GET rule it's not really about changing the application, more about changing data. I appreciate the subtle distinction with the cookie ( i.e. you are not changing data on YOUR system ), but generally, it's a good rule to have, and irrespective of where the data is stored, GET shouldn't really be used to change it.