>> >> OP is redirecting a POST, which is something to be avoided. > > Why should a redirect after POST be avoided? It's hairy, and the HTTP/1.1 RFC talks about potential confusion about whether the client will re-submit the POST to the new URL [after prompting the user] or send a GET to the new URL. I also believe there are IE bugs in this area where it drops the body but retains the Content-Length on the redirect. > >> A simple >> HTML redirect in the output of the form-based login makes a lot of >> sense. > > Why? It makes the process dependent on the browser, which should be avoided. A redirect is just as dependent. This allows the request to run to completion, processing the post body, before doing any kind of redirect. You could also modify whatever processes the form-based login, but that's more complicated. You shouldn't depend on either mechanism to enforce that the requests on the other side of the URL are protected by SSL, so IMO there's no exposure to using the HTML. -- Eric Covener covener@xxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|