porneL wrote:
[color=blue][color=green][color=darkred]
> > > Remember that you MUST set 303 response status when you redirect POST
> > > request.
> > > header('HTTP/1.1 303 Redirect');[/color][/color][/color]
John Dunlop wrote:
[color=blue][color=green]
> > Although 303 is a more logical choice here, nothing stops
> > you from sending a 302 response. So make that 'MUST' a
> > 'can', or a 'should' if interoperability with older software
> > isn't an issue, and I'll second that.[/color][/color]
porneL wrote:
[color=blue]
> Right. It is actually SHOULD in RFC terminology.[/color]
No, it's not; at least not in RFC2616. The RFC defines the
status code, but doesn't tell you when to use it.
[color=blue]
> But it is very important in this case, because current User-Agents
> post form *again* on 301/302 status,[/color]
With a 301, that's what's supposed to happen. What browser
continues POSTing after a 302?
[color=blue]
> so such redirect would *cause* re-post instead of preventing re-post.[/color]
RFC2616 notes, sec. 10.3.3:
| RFC 1945 and RFC 2068 specify that the client is not
| allowed to change the method on the redirected request.
| However, most existing user agent implementations treat
| 302 as if it were a 303 response, performing a GET on the
| Location field-value regardless of the original request
| method. The status codes 303 and 307 have been added for
| servers that wish to make unambiguously clear which kind
| of reaction is expected of the client.
http://www.ietf.org/rfc/rfc2616.txt
[color=blue]
> Because 303 reponse may have a body and you can put link there,
> you can have 100% compatibility (with extra "click here" for lousy UA).[/color]
Nothing stops you from providing a note along with a 302
response; in fact the RFC says you should (and that's a
'SHOULD'), unless the request method was HEAD.
I was never disagreeing with the sending of a 303, but I
thought your 'MUST' deserved a comment.
--
Jock
