[Javascript] Prevent expired POST results (Was: Control the window)
Nick Fitzsimons
nick at nickfitz.co.uk
Wed Aug 30 12:03:06 CDT 2006
On 30 Aug 2006, at 17:11, Peter Brunone wrote:
> Ooh, I like that. Nice, functional, and fully server-side.
>
> I assume they could just hit the Back button twice to get to the
> post page... but then again, you could get really clever and use
> location.replace for your GET... or would that still be considered
> part of the original POST request?
>
No, you send it an HTTP " 301Moved permanently" redirect:
<http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.2>
The browser will clear the POST completely from its cache, and any
attempt to go to it via the Back button or in script will just take
you to the page specified by the redirect.
Extra note: If you want to display the results of some transaction,
you may be tempted to include a transaction ID in your redirect using
the query string, but you have to watch out for security
considerations that way. Some alternative method of maintaining
session state will allow you to do the same thing and should be more
secure, assuming you've dealt with all the possible security issues
in your session management code :-)
Cheers,
Nick.
> From: Scott Reynen scott at randomchaos.com
>
> I solve this problem by redirecting POST to GET. When data is
> posted, I generate the resulting HTML, save it to a database, and
> immediately redirect to a GET request for the database record I just
> created. The POST will not show up in the history, and the HTML
> result of the POST request will only expire when I decide to remove
> it from the database. Much less annoying than breaking the back
> button.
>
Nick Fitzsimons
http://www.nickfitz.co.uk/
More information about the Javascript
mailing list