Per Jessen schreef: > Robert Erbaron wrote: > >>> yes - abusing redirects as described is wasteful. and certainly it's >>> the first time I've ever heard the statement 'Never show pages in >>> response to POST' sounds like hubris too me. >> I've seen the statement in a number of messages in the archives here >> and in google searches. > > Personally, I try to avoid the situation where you might get a > double-POST if the user decides to do a reload/refresh. Which means > processing the POST-request, but finish it off with a 303 redirect. >
this can still be 'broken' by using the back button ... I find a safer way (if the application design allows it) is to include a one-time token with each POST request - if a token has already been used (or is invalid) the POST processing is not done. > > /Per Jessen, Zürich > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
