-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Veikko Mäkinen wrote: > I didn't read the article and all its reasoning but I'd say the rule > should be "Never show pages in response to a _succesfull_ POST." If the > user sends invalid data I think it's OK to show the same page again. And > this is something Agavi - with the help of AgaviFormPopulationFilter - > makes so so easy.
Call me crazy, but I don't think there's a problem with showing a page in response to a successful POST for many forms. The double-submit problem is remedied by using a form-instance-unique identifier in a hidden input (which is duplicated in the session and then verified and deleted upon form submission); this additionally protects against CSRF and is generally a good idea to use. I think this is discussed (albeit a bit differently) in the article that Michal linked. Regards, Noah -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmrngMACgkQhitK+HuUQJReiACfe6532asZcX7qob50gh/wt4DE 87gAn3dyP7jVPGvLO+yF1uDFQmiWkXy7 =4Vrt -----END PGP SIGNATURE----- _______________________________________________ users mailing list [email protected] http://lists.agavi.org/mailman/listinfo/users
