hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <o.kalnichev...@dplanet.ch>
Subject Re: AW: post redirect
Date Fri, 07 Mar 2003 19:22:58 GMT
David

I think it is exactly the case. Any sane browser should avoid blindly
redirecting POST request for security reason and should issue GET
request instead expecting to receive a new form to be filled out and
only then issue new POST request. 

Oleg

On Fri, 2003-03-07 at 19:58, David Kavanagh wrote:
> Thomas,
> I'd like to hear more about this because I don't understand how the 
> browser can do that. I know if the form requires POST, the browser 
> simply can't issue GET and expect it to work. Hmm, are you saying that 
> the browser just looks in the response header and issues a GET to follow 
> the redirect? OK, I would expect something along those lines....
> 
> David
> 
> mathis@vtg.at wrote:
> 
> >I am with you Oleg! Some times ago I had the same "problem" but it figured
> >out that the browsers follow the redirects not within the PostMethod but
> >they instead execute a GetMethod. If they wouldn't do so the client could
> >have an wrong url "displayed".
> >
> >Gtx,
> >Thomas
> >
> >-----Ursprüngliche Nachricht-----
> >Von: Kalnichevski, Oleg [mailto:oleg.kalnichevski@bearingpoint.com]
> >Gesendet: Freitag, 7. März 2003 17:39
> >An: Commons HttpClient Project
> >Betreff: RE: post redirect
> >
> >
> >David
> >
> >HttpClient is a library, whereas a browser is a totally different kind of
> >beast.
> >
> >RFC 2616 says the following:
> >
> >"...
> >   If the 301 status code is received in response to a request other
> >   than GET or HEAD, the user agent MUST NOT automatically redirect the
> >   request unless it can be confirmed by the user, since this might
> >   change the conditions under which the request was issued
> >..."
> >
> >A well-behaving browser should provide the end user with a confirmation
> >dialog or a configuration option to automatically perform POST redirects.
> >HttpClient can't have that luxury, as it is not supposed to be directly
> >interacting with the end user. I am personally convinced that POST redirect
> >should be handled by the application that consumes Httpclient's services.
> >All it basically takes is a retry loop
> >
> >Does anyone see that differently?
> >
> >Cheers
> >
> >Oleg
> >
> >
> >-----Original Message-----
> >From: David Kavanagh [mailto:dak@dotech.com]
> >Sent: Freitag, 7. März 2003 17:24
> >To: commons-httpclient-dev@jakarta.apache.org
> >Subject: post redirect
> >
> >
> >I've been working with httpclient for a couple of days to build a Cocoon 
> >transformer that helps me build pipelines to navigate web sites and 
> >extract data. I've read the parts of RFC2616 that deal with redirects 
> >and state they are automatic on the client only for GET and HEAD 
> >methods. I know the JDC and a web site I wrote use POST for the login 
> >form and issue a redirect as a response. Any browser I've tried this 
> >with honors the redirect. I can send some test code I've been using to 
> >test the automated login (that includes handling cookies).
> >Anyway, I've observed browsers honoring the redirect on a POST, can't 
> >httpclient be configured that way? Looking at the source code tells me 
> >no. (I've been using 2.0 alpha 3).
> >
> >Thanks,
> >David
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
> >  
> >
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
> 


Mime
View raw message