You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by James Adams <ja...@yahoo.com> on 2004/10/15 01:37:56 UTC
[users@httpd] Re: Redirected URL query string being lost
It was pointed out to me that what I'm trying to do is
not a good idea, in that it's a security violation to
redirect HTTP POST requests. From the HTTP spec
(http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html):
If the 301 status code is received in response to a
request other than GET or HEAD, the user agent MUST
NOT automatically redirect the request unless it can
be confirmed by the user, since this might change the
conditions under which the request was issued.
So is there another way of rerouting these requests ?
I want to have the URLs in question bypass Apache and
instead go to the servlets which are being served by
JBoss/Tomcat on another port. Is there a way in UNIX
to do something like "map /PutMsg to /PutMsg at port
X, and don't let Apache handle it first" ?
--James
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Redirected URL query string being lost
Posted by Nick Kew <ni...@webthing.com>.
On Thu, 14 Oct 2004, James Adams wrote:
> It was pointed out to me that what I'm trying to do is
> not a good idea, in that it's a security violation to
> redirect HTTP POST requests.
Indeed, it's not a good idea. Unless the POST is always small,
wasted bandwidth becomes another concern too.
> So is there another way of rerouting these requests ?
Sounds to me[1] as if you're looking for a reverse proxy.
http://www.apacheweek.com/features/reverseproxies
[1] from what you've said in this post; I have no recollection of what
preceded it.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
AW: AW: [users@httpd] Re: Redirected URL query string being lost
Posted by Steffen Heil <li...@steffen-heil.de>.
Hi
> If (as I think someone said), what you're actually doing POST to do
something and redirect to return a page, why not drop the redirect and use a
201 response instead?
201 is "Created". This is not exactly what I am doing, but I could live with
it. However, it does not allow me to send the browser to another page, or am
I missing something?
> NEED is a strong word. Maybe an HTML <base> would accomplish what you
really need? Together with a Content-Location header.
No, not in my case.
Regards,
Steffen
Re: AW: [users@httpd] Re: Redirected URL query string being lost
Posted by Nick Kew <ni...@webthing.com>.
On Fri, 15 Oct 2004, Steffen Heil wrote:
> I observed that I can set ... action="?" ..., which is a relative url with
> no parameters.
> Is this valid (X)HTML ?
Yes, though action="#" is more usual.
> > A 30x return code means that the resource requested is at another URI.
>
> No, 303 seems to do the right thing, but rfc2616 seems to imply that most
> user agents don't understand this and you should use 302.
302 was originally unambiguous. But Mosaic and its descendents did
unambiguously the wrong thing, eventually precipitating a change in HTTP.
If (as I think someone said), what you're actually doing POST to do
something and redirect to return a page, why not drop the redirect
and use a 201 response instead?
> In my case this is not possible, since I NEED to change URLs.
NEED is a strong word. Maybe an HTML <base> would accomplish
what you really need? Together with a Content-Location header.
> My last resort would be HTTP-EQUIV or JavaScript redirects, which I don't
> like either.
Agreed there:-)
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Redirected URL query string being lost
Posted by Robert Andersson <ro...@profundis.nu>.
Steffen Heil wrote:
> Right now it works in IE, Mozilla, Firefox and other tested browsers.
Yes, but we should build by standards, not so it happens to work in some
browsers. I'm a fundamentalist, I know ;)
> I observed that I can set ... action="?" ..., which is a relative url with
> no parameters.
> Is this valid (X)HTML ?
Perfectly valid, and generally what I do. At least I think so, I would need
to re-read RFC 1808 to be 100% sure:
http://www.ietf.org/rfc/rfc1808.txt
> No, 303 seems to do the right thing, but rfc2616 seems to imply that
> most user agents don't understand this and you should use 302.
You're right! I missed that. This code seems to be the standard way of
achieving what we want.
I think the "pre-HTTP/1.1" user agents thay talk about is really old; was
the 303 code introduced in HTTP/1.1? If so, I'd think those who do not
recognize the 303, would still do the desired thing when they get a 3xx
status with a Location header.
This is getting very OT, but hopefully someone found it educational.
Regards,
Robert Andersson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
AW: [users@httpd] Re: Redirected URL query string being lost
Posted by Steffen Heil <li...@steffen-heil.de>.
Hi
> Note that "action" is a REQUIRED attribute; if you leave it out, your
markup is not valid (X)HTML.
Right now it works in IE, Mozilla, Firefox and other tested browsers.
However, I agree, that I would like to be standard-compliant. Now, I have
the problem, that I don't know the url of the page (it is a module of your
content-management system).
I observed that I can set ... action="?" ..., which is a relative url with
no parameters.
Is this valid (X)HTML ?
> According to the HTTP specification, it does mean that, but I don't know
if all user agents behave that way.
No, at least IE doesn't. Firefox propably doesn't also.
> A 30x return code means that the resource requested is at another URI.
No, 303 seems to do the right thing, but rfc2616 seems to imply that most
user agents don't understand this and you should use 302.
> Hehe... no, I will probably not do that now.
:D
> The method would be to render a page as a result of the POST request, and
maybe make some mechanism so the action isn't reperformed.
In my case this is not possible, since I NEED to change URLs.
My last resort would be HTTP-EQUIV or JavaScript redirects, which I don't
like either.
Regards,
Steffen
Re: [users@httpd] Re: Redirected URL query string being lost
Posted by Robert Andersson <ro...@profundis.nu>.
Steffen Heil wrote:
> I am doing the following:
> I have a form, which has no action property, do the form is
> submitted to the same url.
Note that "action" is a REQUIRED attribute; if you leave it out, your markup
is not valid (X)HTML.
> There I evaluate the POST/GET Parameters and the Redirect
> to another page, basically saying "thank you" or "error occured".
> I use code 302 redirects.
>
> No, does this mean, the user agend should resend???
According to the HTTP specification, it does mean that, but I don't know if
all user agents behave that way. If you think about it, it makes sense. A
30x return code means that the resource requested is at another URI.
>> Now I only have to go rewrite all sites I've made :-(
>> I'll see you guys in a couple of years...
>
> I hope this was not ment for real, I would need to do the same, in fact
> I would not even know how to do that correctly in any other way...
Hehe... no, I will probably not do that now. I will however take this into
consideration for current and future projects. The method would be to render
a page as a result of the POST request, and maybe make some mechanism so the
action isn't reperformed.
Regards,
Robert Andersson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
AW: [users@httpd] Re: Redirected URL query string being lost
Posted by Steffen Heil <li...@steffen-heil.de>.
Hi
> Oh dear. I have always redirected POST requests, in order to reroute the
user. I've thought of it as the proper thing to do. Never thought about that
this logically should mean the user agent should "resubmit" the request to
the new URI, but rather to tell it "done, now go here". Thanks for bringing
it up.
I am doing the following:
I have a form, which has no action property, do the form is submitted to the
same url. There I evaluate the POST/GET Parameters and the Redirect to
another page, basically saying "thank you" or "error occured".
I use code 302 redirects.
No, does this mean, the user agend should resend???
> Now I only have to go rewrite all sites I've made :-( I'll see you guys in
a couple of years...
I hope this was not ment for real, I would need to do the same, in fact I
would not even know how to do that correctly in any other way...
Regards,
Steffen
Re: [users@httpd] Re: Redirected URL query string being lost
Posted by Robert Andersson <ro...@profundis.nu>.
James Adams wrote:
> It was pointed out to me that what I'm trying to do is
> not a good idea, in that it's a security violation to
> redirect HTTP POST requests. From the HTTP spec
> (http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html):
>
> If the 301 status code is received in response to a
> request other than GET or HEAD, the user agent MUST
> NOT automatically redirect the request unless it can
> be confirmed by the user, since this might change the
> conditions under which the request was issued.
Oh dear. I have always redirected POST requests, in order to reroute the
user. I've thought of it as the proper thing to do. Never thought about that
this logically should mean the user agent should "resubmit" the request to
the new URI, but rather to tell it "done, now go here". Thanks for bringing
it up.
Now I only have to go rewrite all sites I've made :-(
I'll see you guys in a couple of years...
Regards,
Robert Andersson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org