Women in Technology

Hear us Roar


Article:
  User-Friendly Form Validation with PHP and CSS
Subject:   POST requests should not be redirected
Date:   2004-04-27 06:57:43
From:   hukka
Using header("Location: ...") on POST requests is troublesome because the HTTP spec requires the browser to explicitly ask for user confirmation for the redirect. From the HTTP 1.1 spec, section 10.3.3:


If the 302 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.


This is hardly "user-friendly". Of course (as noted also in the spec) most current browsers (especially IE) do not require this confirmation, but one should not count on this behaviour. At least current Mozilla browsers comply with the standard.


Using the redirect trick is fine for GET requests. For web forms using POST, a better solution would be to output a status page showing a message about the entered information having been successfully processed. You can include the followup URL as a "continue" link on that status page, and you could even add a META refresh tag to have the browser automatically redirect to that address after a few seconds.
Full Threads Oldest First

Showing messages 1 through 1 of 1.

  • Chris Shiflett photo POST requests should not be redirected
    2004-04-29 09:13:48  Chris Shiflett | O'Reilly Author [View]

    That is how the specification is written, but it is not how it is applied in practice. Basically, 302 is treated exactly like the description of 303. In fact, 303 was added so that the ambiguity could be removed. If 303 was supported as consistently as 302 (e.g., by both old and new agents), we would probably return that instead of 302 when a developer sets a Location header.

Recommended for You
 
Sign up today to receive special discounts,
product alerts, and news from O'Reilly.
Privacy Policy >
View Sample Newsletter >