[Catalyst] Re: Reseting a chained action

A. Pagaltzis pagaltzis at gmx.de
Sat Aug 25 16:57:07 GMT 2007


* Pedro Melo <melo at simplicidade.org> [2007-08-09 00:05]:
> On Aug 8, 2007, at 1:38 PM, A. Pagaltzis wrote:
> >If you do in fact modify state on the server based on
> >information in the URI, I hope that you at least require POST
> >for these requests?
> 
> We always redirect after POST.

That wasn’t what I was talking about at all.

The question is whether your URIs include commands, and if so,
whether retrieving them with GET will trigger changes to records
just the way POST does. In that case you have a problem.

> >Otherwise things like Google Web Accelerator or Firefox’s
> >prefetching will badly break your app, proxy caches may cause
> >heisenbugs, and all sorts of other mayhem.
> 
> I understand the dangers of not redirecting after POST :)

Again it has nothing to do with redirecting after POST.

It’s about whether you allow GET, which is supposed to be safe,
ie if a client causes data loss by using GET to inspect a
resource, it’s not the client’s fault, it’s the server’s.

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>



More information about the Catalyst mailing list