W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2009

[whatwg] page refresh and resubmitting POST state

From: Aryeh Gregor <Simetrical+w3c@gmail.com>
Date: Sun, 24 May 2009 11:50:38 -0400
Message-ID: <7c2a12e20905240850y36ee953cu883c987aba6779ca@mail.gmail.com>
On Sun, May 24, 2009 at 11:41 AM, Kornel Lesinski <kornel at geekhood.net> wrote:
> It only needs to keep it as long as Back history is kept, and could get
> rid of it as soon as this entry is removed from Back/Forward history.

In practice, that history can be kept for a long time.  Even if the
tab is closed, "undo close tab" still keeps the history.  Even if the
browser closes, the old session may be kept in newer browsers.  But as
long as it's kept for long enough that it's very rare to see the
message, I don't think it's a big problem.

> You store the data on server side, and redirect to URL that contains
> unique ID for this data.
>
> It's just a few lines in PHP (and similar solutions shuold be possible in all web frameworks):
>
> $id = uniqid();
> $_SESSION[$id] = $_POST;
> header("Location: [?]/result.php?id=$id",false,303);
>
> and later:
>
> $_POST = $_SESSION[$_GET['id']];
>
> This works even for multiple submissions done in parallel and it's pretty
> secure and tamper-proof.

That does seem like a pretty good solution.  Perhaps Mike Wilson can
point out the problems with it.

> Is it possible for HTML 5 spec to say that browsers may re-send PUT without asking? (and that authors should use PUT only when resending is not going to cause this problems).

When would that be?
Received on Sunday, 24 May 2009 08:50:38 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:49 UTC