[Catalyst] preserve the URL in browser box

A. Pagaltzis pagaltzis at gmx.de
Thu Jan 19 09:57:19 CET 2006 

Hi Brandon,

* Brandon Black <blblack at gmail.com> [2006-01-18 18:25]:
>>humbug,  don't make changes with GET. use POST.
>
>Then they'll just get an annoying text box that says "blah blah
>blah" for all they care, click ok, and continue on the with the
>reload :)

that’s why you return a redirect from POSTs.

Here’s the easy 2-step program for building web apps that are not
fragile:

0. Ground rule: updates are done *only* on POST, *NEVER* on GET.

   This makes you a good HTTP citizen, preventing crawlers,
   prefetchers, etc from causing all sorts of mayhem.

1. In the event that someone does try to GET a handler that
   expects to be POSTed to, the handler should make no updates,
   but rather return a page with a form on it that contains the
   submitted data in hidden fields. A user can thus repeat the
   request as a proper POST.

   Now you may not like using buttons everywhere and would like
   to have things like “delete this row” as links. And you don’t
   want users to have to go through an extra page for such link.
   Then add to these links an `onclick` handler that submits a
   hidden form with that data as a POST.

   Usually you already have an `onclick` handler anyway on such
   links to pop up an “are you sure” confirmation box. As it
   happens, users without Javascript now get the server-generated
   form as a fallback for the confirmation request. Hey presto.

2. In response to a POST, handlers *never* return a page,
   *always* a 303 redirect.

   When the browser gets a redirect back from a POST, it forgets
   the POST. So a user clicking Back will go back the form, but
   if they then click Forward, the browser goes directly to the
   redirect target and does not attempt to repeat the POST.

   (And please don’t use 302; in practice 302 works because
   browsers have to accomodate that everyone does this wrong, but
   303 is the correct status to use, and is supported just as
   well.)

That’s it.

And it’s formulaic enough that it could be abstracted, although I
haven’t seen any framework that does so, yet.

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>

More information about the Catalyst mailing list