[whatwg] page refresh and resubmitting POST state

Aryeh Gregor Simetrical+w3c at gmail.com
Sun May 24 08:50:38 PDT 2009


On Sun, May 24, 2009 at 11:41 AM, Kornel Lesinski <kornel at geekhood.net> wrote:
> It only needs to keep it as long as Back history is kept, and could get
> rid of it as soon as this entry is removed from Back/Forward history.

In practice, that history can be kept for a long time.  Even if the
tab is closed, "undo close tab" still keeps the history.  Even if the
browser closes, the old session may be kept in newer browsers.  But as
long as it's kept for long enough that it's very rare to see the
message, I don't think it's a big problem.

> You store the data on server side, and redirect to URL that contains
> unique ID for this data.
>
> It's just a few lines in PHP (and similar solutions shuold be possible in all web frameworks):
>
> $id = uniqid();
> $_SESSION[$id] = $_POST;
> header("Location: […]/result.php?id=$id",false,303);
>
> and later:
>
> $_POST = $_SESSION[$_GET['id']];
>
> This works even for multiple submissions done in parallel and it's pretty
> secure and tamper-proof.

That does seem like a pretty good solution.  Perhaps Mike Wilson can
point out the problems with it.

> Is it possible for HTML 5 spec to say that browsers may re-send PUT without asking? (and that authors should use PUT only when resending is not going to cause this problems).

When would that be?



More information about the whatwg mailing list