470,866 Members | 1,808 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,866 developers. It's quick & easy.

HELP -> stop post data expiring?

Sorry this isnt a cross post .. i just didnt get any help from alt.php.

I have a website which utilises post forms for navigation in some areas.
Problem is, when *some* users hit the BACK button the POSTDATA
content has expired and they need to refresh the page then they get a
alert about refreshing expired data.

I am getting complaints that this is too annoying and limits the sites
useability.

For security reasons I cant swap post for get.

the header content of the page is
header('Expires: '.gmdate('D, d M Y H:i:s', time() + 600) .'GMT');

which seems to work on some browsers/systems but not others ...

I want to over-ride the users cache settings but am not sure how this
can be best achieved in respect of POST data

any help greatly appreciated.
Jul 17 '05 #1
11 2553
brendan wrote:
Sorry this isnt a cross post .. i just didnt get any help from alt.php.

I have a website which utilises post forms for navigation in some areas.
Problem is, when *some* users hit the BACK button the POSTDATA
content has expired and they need to refresh the page then they get a
alert about refreshing expired data.

I am getting complaints that this is too annoying and limits the sites
useability.

For security reasons I cant swap post for get.

the header content of the page is
header('Expires: '.gmdate('D, d M Y H:i:s', time() + 600) .'GMT');

which seems to work on some browsers/systems but not others ...

I want to over-ride the users cache settings but am not sure how this
can be best achieved in respect of POST data

any help greatly appreciated.


Hi brendan,

I am not sure you can repair this.
AFAIK some browsers tell the visitor that the page they see is a result of a
posting (form). Which is a good thing, because it is the result of a
posting.
I am unsure if you can fix this by adding headers.. (hopefully for you
somebody knows. :-)

If you want to 'repair' this behaviour, you can add your own
navigationbuttons to the page and implement a decent post for 'back'-button
behaviour. Allthough this is not always possible.

And honestly I don't understand the security-implementations you have with
GET that disappear by using POST.
POST data is also send over the network, it just doesn't show up in the URL,
but it is there.....

If you want more security, use encryption. (https)

just my 2 cents.

Regards,
Erwin Moller
Jul 17 '05 #2
Erwin Moller wrote:
brendan wrote:

Sorry this isnt a cross post .. i just didnt get any help from alt.php.

I have a website which utilises post forms for navigation in some areas.
Problem is, when *some* users hit the BACK button the POSTDATA
content has expired and they need to refresh the page then they get a
alert about refreshing expired data.

I am getting complaints that this is too annoying and limits the sites
useability.

For security reasons I cant swap post for get.

the header content of the page is
header('Expires: '.gmdate('D, d M Y H:i:s', time() + 600) .'GMT');

which seems to work on some browsers/systems but not others ...

I want to over-ride the users cache settings but am not sure how this
can be best achieved in respect of POST data

any help greatly appreciated.

Hi brendan,

I am not sure you can repair this.
AFAIK some browsers tell the visitor that the page they see is a result of a
posting (form). Which is a good thing, because it is the result of a
posting.
I am unsure if you can fix this by adding headers.. (hopefully for you
somebody knows. :-)

If you want to 'repair' this behaviour, you can add your own
navigationbuttons to the page and implement a decent post for 'back'-button
behaviour. Allthough this is not always possible.

And honestly I don't understand the security-implementations you have with
GET that disappear by using POST.
POST data is also send over the network, it just doesn't show up in the URL,
but it is there.....

If you want more security, use encryption. (https)

just my 2 cents.

Regards,
Erwin Moller


Thanks Erwin,

the problem is that several string parameters are enrcypted using a
binary hash and this can result in some being longer than some of
browsers permissable GET string length. As there is no MIME control for
GET there I cant think of a workaround. Am I wrong on this one?

I am not sure that disabling browser buttons or using chromeless windows
would attract any less angst from users than the need to refresh.

your right about https: its just that our webserver uses some really
lame DN (ie https://www.yourreallysecurenow.com etc) and we want to keep
the product logo ... guess we could use frames ... but that causes
another set of problems when users refresh anything.

thanks for your response though ... its good to know Im not the only one
around.
cheers
brendan.
Jul 17 '05 #3
brendan wrote:
Erwin Moller wrote:
brendan wrote:

Sorry this isnt a cross post .. i just didnt get any help from alt.php.

I have a website which utilises post forms for navigation in some areas.
Problem is, when *some* users hit the BACK button the POSTDATA
content has expired and they need to refresh the page then they get a
alert about refreshing expired data.

I am getting complaints that this is too annoying and limits the sites
useability.

For security reasons I cant swap post for get.

the header content of the page is
header('Expires: '.gmdate('D, d M Y H:i:s', time() + 600) .'GMT');

which seems to work on some browsers/systems but not others ...

I want to over-ride the users cache settings but am not sure how this
can be best achieved in respect of POST data

any help greatly appreciated.

Hi brendan,

I am not sure you can repair this.
AFAIK some browsers tell the visitor that the page they see is a result
of a posting (form). Which is a good thing, because it is the result of a
posting.
I am unsure if you can fix this by adding headers.. (hopefully for you
somebody knows. :-)

If you want to 'repair' this behaviour, you can add your own
navigationbuttons to the page and implement a decent post for
'back'-button behaviour. Allthough this is not always possible.

And honestly I don't understand the security-implementations you have
with GET that disappear by using POST.
POST data is also send over the network, it just doesn't show up in the
URL, but it is there.....

If you want more security, use encryption. (https)

just my 2 cents.

Regards,
Erwin Moller


Thanks Erwin,


Hi again,

the problem is that several string parameters are enrcypted using a
binary hash and this can result in some being longer than some of
browsers permissable GET string length.
Oh, is that still a problem?
I thought that was only a problem for (very old) webSERVERS.
In that case you should stick to POST indeed.
:-(
As there is no MIME control for
GET there I cant think of a workaround. Am I wrong on this one?
Sorry, I wasn't aware that POST had MIME-control. I think of it as a bunch
of name/value pairs with a certain encoding, no MIME AFAIK.

Very well possible I am wrong on that one. :P
Maybe somebody who knows more about this can clarify this??

I am not sure that disabling browser buttons or using chromeless windows
would attract any less angst from users than the need to refresh.
Hmm. ok.
If you get a response from a webserver after posting some formdata, it is
only logical that a browser warns you if you use your back-button. At least
that makes a lot of sense to me.

As a sidenote:
I think the problem is that many people using a browser (your customers) are
not aware of that, and don't have a clue what a posting is, don't have a
clue what 'expired' means, and above all: don't want to learn it either.
(Speaking from own experience).
So unless you can fix this browser-behaviour somehow, you should educate
your users that this is actually desired behaviour of an internetbrowser.
It is like somebody steps into a car for the first time in his life, starts
driving, and gets angry after he crashes because the gaspedal worked
differently than he 'expected'. He simply needs a driverlicence.

But that doesn't help you, does it? ;-)

your right about https: its just that our webserver uses some really
lame DN (ie https://www.yourreallysecurenow.com etc) and we want to keep
the product logo ... guess we could use frames ... but that causes
another set of problems when users refresh anything.

thanks for your response though ... its good to know Im not the only one
around.
cheers
brendan.


If memory serves me well M$ Exploder has an option somewhere to disables
this question. (Not sure, using Mozilla right now.)

Sorry I cannot be of more help. :-/
I guess you have to dive into all kinds of extra headers to fix this.
And after that: test it on every major browser on all major OS's...

Good luck!
Regards,
Erwin Moller
Jul 17 '05 #4
brendan wrote:
Sorry this isnt a cross post .. i just didnt get any help from alt.php.

I have a website which utilises post forms for navigation in some areas.
Problem is, when *some* users hit the BACK button the POSTDATA content
has expired and they need to refresh the page then they get a alert
about refreshing expired data.

I am getting complaints that this is too annoying and limits the sites
useability.

For security reasons I cant swap post for get.

the header content of the page is
header('Expires: '.gmdate('D, d M Y H:i:s', time() + 600) .'GMT');

which seems to work on some browsers/systems but not others ...

I want to over-ride the users cache settings but am not sure how this
can be best achieved in respect of POST data

any help greatly appreciated.


IIRC you can avoid this using redirects. The script which accepts the
posted data should process it (add to the database or such) and then
issue header('Location: results.php'); which will ensure that there are
no pages in the browser cache relating to posted data.

Jul 17 '05 #5
Erwin Moller wrote:
If you get a response from a webserver after posting some formdata, it is
only logical that a browser warns you if you use your back-button. At least
that makes a lot of sense to me.


Will you explain why, please?

--
Jock
Jul 17 '05 #6
brendan wrote:
Sorry this isnt a cross post .. i just didnt get any help from alt.php.

I have a website which utilises post forms for navigation in some areas.
Problem is, when *some* users hit the BACK button the POSTDATA content
has expired and they need to refresh the page then they get a alert
about refreshing expired data.

I am getting complaints that this is too annoying and limits the sites
useability.

For security reasons I cant swap post for get.

the header content of the page is
header('Expires: '.gmdate('D, d M Y H:i:s', time() + 600) .'GMT');

which seems to work on some browsers/systems but not others ...

I want to over-ride the users cache settings but am not sure how this
can be best achieved in respect of POST data

any help greatly appreciated.

Good lord, everyone else posting in here is making it way too hard :)

It has to do with your caching. Check out your php.ini for an option called
"session.cache_limiter", try setting that to "private" instead of the default
"nocache". Note that there ARE however quirks which I'm sure you'll experience
and decide that it's not worth it. For example, users may not end up getting the
latest version of the page because they're caching it. Trying to distribute the
idea to "Push CTRL+F5" to every Joe Average isn't worth "fixing" a quirk for
just a couple of users.

I don't know, if you tweak with the expiry date /and/ the cache limiter you
might be able to achieve the desired effect. By the way, expiry date can be
managed by "session.cache_expire" which defaults to 180 minutes.

_Excerpt from my php.ini_
; Set to {nocache,private,public,} to determine HTTP caching aspects
; or leave this empty to avoid sending anti-caching headers.
;session.cache_limiter = nocache

; Document expires after n minutes.
session.cache_expire = 180

Jeff
Jul 17 '05 #7
In article <c8**********@pegasus.csx.cam.ac.uk>, brendan wrote:
Sorry this isnt a cross post .. i just didnt get any help from alt.php.

I have a website which utilises post forms for navigation in some areas.
Problem is, when *some* users hit the BACK button the POSTDATA
content has expired and they need to refresh the page then they get a
alert about refreshing expired data.


And that alert should be there.
But you could add hidden field to you form that contains
<input type="hidden" name="lastupdate" value="timestamp last update" />

And then also save the current time when you update the data in your
database.
Each time when the form is submitted, you can compare the value of lastupdate in
the hidden field with the timestamp in the database. If they are not
equal, the client was working with invalid data, and you should return
him a error message and the new data....
--
http://home.mysth.be/~timvw
Jul 17 '05 #8
John Dunlop wrote:
Erwin Moller wrote:
If you get a response from a webserver after posting some formdata, it is
only logical that a browser warns you if you use your back-button. At
least that makes a lot of sense to me.


Will you explain why, please?


Hi John,

Why I think that is logical?
Because the resulting response is based on the actions of a script that
received certain data (by the POST).
If that data changes, the response could also very well change, hence the
warning.
It is not carved in stone, but it makes sense to me.

What doesn't make sense to me is this:
A script might very well respond to the content encoded in the GET... but in
that case we don't get the warning.

Actually, I am not at all convinced I understand this behaviour. :-)
Can somebody explain this?
Why do we get a warning if we use the back-button for a page that was based
on a POST and not for a GET?

Regards,
Erwin Moller
Jul 17 '05 #9
In article <40*********************@news.xs4all.nl>, Erwin Moller wrote:
John Dunlop wrote:
Erwin Moller wrote:
If you get a response from a webserver after posting some formdata, it is
only logical that a browser warns you if you use your back-button. At
least that makes a lot of sense to me.


Will you explain why, please?


Hi John,

Why I think that is logical?
Because the resulting response is based on the actions of a script that
received certain data (by the POST).
If that data changes, the response could also very well change, hence the
warning.
It is not carved in stone, but it makes sense to me.

What doesn't make sense to me is this:
A script might very well respond to the content encoded in the GET... but in
that case we don't get the warning.

Actually, I am not at all convinced I understand this behaviour. :-)
Can somebody explain this?
Why do we get a warning if we use the back-button for a page that was based
on a POST and not for a GET?


The differences between POST and GET can be found in the relevant rfc's
on HTTP.

In short: each time you request data with a GET, the server should
return the same data each time. With a POST, the server will return
different data each time.
--
http://home.mysth.be/~timvw
Jul 17 '05 #10
Erwin Moller wrote:
Because the resulting response is based on the actions of a script that
received certain data (by the POST).
If that data changes, the response could also very well change, hence the
warning.


Now I've had time and have read the entire thread, I think I've
cottoned on. I had thought the discussion was about the browser's
behaviour upon the user moving backwards, not what happens when a
request is sent. Thanks for the clarification.

--
Jock
Jul 17 '05 #11
Tim Van Wassenhove wrote:
Erwin wrote:

Actually, I am not at all convinced I understand this behaviour. :-)
Can somebody explain this?
Why do we get a warning if we use the back-button for a page that was
based on a POST and not for a GET?

Hi Tim,

Thanks for your response.

The differences between POST and GET can be found in the relevant rfc's
on HTTP.
As usual. :-)
Why are them rfc's always so hard to read?

In short: each time you request data with a GET, the server should
return the same data each time. With a POST, the server will return
different data each time.
Tim, is it safe to conclude that the authors of the rfc's describing GET and
POST didn't expect a GET to have a bunch of encoded name/value pairs in it?
Is it like they expected you to use a POST for that?

(If that is the case I think I understand the difference in behaviour,
finally.)

Regards,
Erwin Moller

Jul 17 '05 #12

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

9 posts views Thread by Tom | last post: by
4 posts views Thread by Sarir Khamsi | last post: by
2 posts views Thread by Sudheer Kareem | last post: by
6 posts views Thread by wukexin | last post: by
6 posts views Thread by d.warnermurray | last post: by
reply views Thread by tbatwork828 | last post: by
8 posts views Thread by Mark | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.