Options for passing data across HTTP redirects

StackOverflow https://stackoverflow.com/questions/10455789

Domanda

I am working on a Web application and need to pass data across HTTP redirects. For example:

http://foo.com/form.html

POSTs to

http://foo.com/form/submit.html

If there is an issue with the data, the Response is redirected back to 

http://foo.com/form.html?error=Some+error+message

and the query param "error"'s value is displayed on the page.

Is there any other reliable way to pass data across redirects (ie HTTP headers, etc.).

Passing the data as query params works but isn't ideal because:

  • its cleartext (and in the query string, so SSL cant be relied on to encyrpt) so I wouldn't want to pass sensitive data
  • URIs are limited in length by the browser (albiet the length is generally fairly long).

IMPORTANT: This platform is state-less and distributed across many app servers, so I can't track the data in a server-side session object.

È stato utile?

Soluzione

From the client-server interaction point of view, this is a server internal dispatch issue.

Browsers are not meant to re-post the entity of the initial request automatically according to the HTTP specification: "The action required MAY be carried out by the user agent without interaction with the user if and only if the method used in the second request is GET or HEAD."

If it's not already the case, make form.html dynamic so that it's an HTML static file. Send the POST request to itself and pre-fill the value in case of error. Alternatively, you could make submit.html use the same template as form.html if there is a problem.

its cleartext (and in the query string, so SSL cant be relied on to encyrpt) so I wouldn't want to pass sensitive data

I'm not sure what the issue is here. You're submitting everything over plain HTTP anyway. Cookie, query parameters and request entity will all be visible. Using HTTPS would actually protect all this, although query parameters can still be an issue with browser history and server logs (that's not part of the connection, which is what TLS protects).

Altri suggerimenti

I think using cookies would be a reasonable solution depending on the amount of data. As you can't track it on the server side (by using a sessions for example, which would be much simpler)

You can store error message in database on server and reference to it by id:

http://foo.com/form.html?error_id=42

If error texts are fixed you even don't need to use a database.

Also, you can use Web Storage. Instead of redirection with "Location" header you can display output page with this JavaScript:

var error_message = "Something is wrong";
if( typeof(Storage) !== "undefined" ) {
  localStorage.error_message = error_message;
else {
  // fallback for IE < 8
  alert(error_message);
}
location.href = "new url";

And after redirection you can read localStorage.error_message using JavaScript and display the message.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top