(sorry for messing up the threading a bit, had to fetch the msg I'm replying to from the unidirectional Gmane feed of this list)
"Tim Lesher" <[EMAIL PROTECTED]> writes: > On 9/17/06, Jorge Godoy <[EMAIL PROTECTED]> wrote: > > > > "Tim Lesher" <[EMAIL PROTECTED]> writes: > > > > > User agents aren't allowed to automatically fetch a resource with any > > > method other than HEAD or GET, without user intervention (see RFC > > > 2616). > > > > They shouldn't, but that's not what happens. Usually using GET wouldn't > > modify anything and using POST would, but for the latter that isn't all > > true. > > This is nothing to do with the REST GET/POST argument, actually. Fire > up a sniffer and take a look at the network trace on login to a TG > app. Here's what happens: It's surely *something* to do with that argument. For what little it's worth, the well-established behaviour you (almost) correctly describe below is certainly in violation of the RFC. > GET / => status 200 (OK) welcome page, containing a link to /login) > GET /login => status 403 (Forbidden), with the login form page, and an > action to POST /login > POST /login (with data) => 302 (Found), with the "Location" header set to "/" > GET / => status 200 (OK) welcome page. > > On a status 302 (or 303), the browser always converts the POST to a > GET. Only on a 307 (which CherryPy doesn't use) is the browser > allowed to re-issue the POST, and then must allow user verification. [...] Apparently IE 6 violates the RFC for 307 by failing to prompt the user (which is kind of remarkable given that 307 was brought it specifically to help clear up this redirection mess! Seems possible it was a deliberate decision on the part of the IE team). At some point I must have verified all this carefully, but too long ago to be certain without checking again... For more than any sensible person would want to know on this subject, read this: http://ppewww.ph.gla.ac.uk/~flavell/www/post-redirect.html John --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears -~----------~----~----~----~------~----~------~--~---
