I'm implementing some rest services. The first service I have to call according to the SDK is a http POST request to logon. The input are my user's credentials, and the output is my session id.
To logout, I also have to make a http POST request, but without any data/payload in the request body. Instead, a header field must be added the request that contains the session id.
I'm a bit torn, is this the correct design for a loggoff request, or should a GET method be used instead? More general, should a request with no input (except query paramerters and request headers) and no output be a GET, a POST, or something else? Why so or why not?
According to RFC2616 GET is a "safe method" that
SHOULD NOT have the significance of taking an action other than retrieval
Log off, does not seem like a safe action to me so GET is not suitable.
It should therefore be a POST. No other HTTP verb seems semantically suitable.