Jim Killian says:
I'd be interested if there is concensus on this one. I have a CGI program
for processing forms which, upon successful submission (i.e., POSTing),
issues a Location header, as follows:
That's it. The server issues a 302 return code.
[behaviour of products deleted]
I've reviewed the HTTP spec, but it was not clear what is the correct
behavior here. Should the browser interpret any redirection as a GET (as
Netscape and Mosaic do), OR, maintain the same operation (in this case,
POST) ? In fact, am I (technically) abusing the ability to override the
Location header by using this methodology. Should I be returning a status
code or something?
Looking at section 6.2.3 of the HTTP/1.0 spec dated August 13 1995, it would
appear that the POST method should be used for the redirected request, with
the same data.
If the 302 status code is received in response to a request using the
POST method, the user agent must not automatically redirect the request unless it can be confirmed by the user, since this might change the
conditions under which the request is issued.
That means to me that if a POST is redirected by a 302 it should be redirected
as a POST with the user's consent or not redirected at all.