On 9/17/06, Jorge Godoy <[EMAIL PROTECTED]> wrote: > > "Tim Lesher" <[EMAIL PROTECTED]> writes: > > > User agents aren't allowed to automatically fetch a resource with any > > method other than HEAD or GET, without user intervention (see RFC > > 2616). > > They shouldn't, but that's not what happens. Usually using GET wouldn't > modify anything and using POST would, but for the latter that isn't all true.
This is nothing to do with the REST GET/POST argument, actually. Fire up a sniffer and take a look at the network trace on login to a TG app. Here's what happens: GET / => status 200 (OK) welcome page, containing a link to /login) GET /login => status 403 (Forbidden), with the login form page, and an action to POST /login POST /login (with data) => 302 (Found), with the "Location" header set to "/" GET / => status 200 (OK) welcome page. On a status 302 (or 303), the browser always converts the POST to a GET. Only on a 307 (which CherryPy doesn't use) is the browser allowed to re-issue the POST, and then must allow user verification. > > > What's the reason you need to "hide" the parameters? Knowing this > > might help come up with a solution. > > I believe URLs are prettier without all the information on it. I know the canonical reasons to hide parameters. I wanted to know what _his_ primary motivation was, in order to suggest a solution that's in line with his aims. :-) > I don't know his code, but I have the > feeling that he's got a multi-page form and is passing information around. If > it is that, he'd be able to use hidden fields Yep--if that's his situation, that's what I'd recommend as well. It looked from the original example that he was doing an redirect either unconditionally or based on some other decision that wasn't shown in the example, so it wasn't obvious that there is anything to be stored in a hidden field. -- Tim Lesher <[EMAIL PROTECTED]> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears -~----------~----~----~----~------~----~------~--~---
