David I think it is exactly the case. Any sane browser should avoid blindly redirecting POST request for security reason and should issue GET request instead expecting to receive a new form to be filled out and only then issue new POST request.
Oleg On Fri, 2003-03-07 at 19:58, David Kavanagh wrote: > Thomas, > I'd like to hear more about this because I don't understand how the > browser can do that. I know if the form requires POST, the browser > simply can't issue GET and expect it to work. Hmm, are you saying that > the browser just looks in the response header and issues a GET to follow > the redirect? OK, I would expect something along those lines.... > > David > > [EMAIL PROTECTED] wrote: > > >I am with you Oleg! Some times ago I had the same "problem" but it figured > >out that the browsers follow the redirects not within the PostMethod but > >they instead execute a GetMethod. If they wouldn't do so the client could > >have an wrong url "displayed". > > > >Gtx, > >Thomas > > > >-----Urspr�ngliche Nachricht----- > >Von: Kalnichevski, Oleg [mailto:[EMAIL PROTECTED] > >Gesendet: Freitag, 7. M�rz 2003 17:39 > >An: Commons HttpClient Project > >Betreff: RE: post redirect > > > > > >David > > > >HttpClient is a library, whereas a browser is a totally different kind of > >beast. > > > >RFC 2616 says the following: > > > >"... > > If the 301 status code is received in response to a request other > > than GET or HEAD, the user agent MUST NOT automatically redirect the > > request unless it can be confirmed by the user, since this might > > change the conditions under which the request was issued > >..." > > > >A well-behaving browser should provide the end user with a confirmation > >dialog or a configuration option to automatically perform POST redirects. > >HttpClient can't have that luxury, as it is not supposed to be directly > >interacting with the end user. I am personally convinced that POST redirect > >should be handled by the application that consumes Httpclient's services. > >All it basically takes is a retry loop > > > >Does anyone see that differently? > > > >Cheers > > > >Oleg > > > > > >-----Original Message----- > >From: David Kavanagh [mailto:[EMAIL PROTECTED] > >Sent: Freitag, 7. M�rz 2003 17:24 > >To: [EMAIL PROTECTED] > >Subject: post redirect > > > > > >I've been working with httpclient for a couple of days to build a Cocoon > >transformer that helps me build pipelines to navigate web sites and > >extract data. I've read the parts of RFC2616 that deal with redirects > >and state they are automatic on the client only for GET and HEAD > >methods. I know the JDC and a web site I wrote use POST for the login > >form and issue a redirect as a response. Any browser I've tried this > >with honors the redirect. I can send some test code I've been using to > >test the automated login (that includes handling cookies). > >Anyway, I've observed browsers honoring the redirect on a POST, can't > >httpclient be configured that way? Looking at the source code tells me > >no. (I've been using 2.0 alpha 3). > > > >Thanks, > >David > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
