Blue Horn

Symfony Framework

Symfony redirect vs forward

August 29, 2009 by Sid in Symfony Framework with 3 Comments

I have not read a lot of articles on this but I did a quick Google search and found that all of the few articles I read seems to suggest redirect over forward. But I have a different opinion here, I would suggest that forward is better than redirect in most (if not all) cases.

This is from the Symfony’s documentation (with my emphasis added):

The choice between a redirect or a forward is sometimes tricky. To choose the best solution, keep in mind that a forward is internal to the application and transparent to the user. As far as the user is concerned, the displayed URL is the same as the one requested. In contrast, a redirect is a message to the user’s browser, involving a new request from it and a change in the final resulting URL.

If the action is called from a submitted form with method="post", you should always do a redirect. The main advantage is that if the user refreshes the resulting page, the form will not be submitted again; in addition, the back button works as expected by displaying the form and not an alert asking the user if he wants to resubmit a POST request.

The first paragraph from the quote above from Symfony’s documentation explains what redirect and foward are. Pretty self explanatory there.

Here, I disagree about the second paragraph. I don’t think that you should always do a redirect for form with “post” method. In fact I’d say, always use forward instead of redirect.

So why use forward instead of redirect?

  1. You should never rely on browser to not resubmit form data. The main advantage of redirect seems to be that if user refreshes their browser, any form data will not be resubmitted again. But I will say that you should never rely on this. Your code MUST detect and handle situation where the same data is submitted more than once to prevent issues such as duplicate and more seriously, potential security issue like replay attack.
  2. More secure. Since forward is internal, your users can’t even see it when it happens.
  3. Ajax friendly. When you update an element via Ajax call, Symfony detects that it is Ajax call and automatically excludes the layout template. But when you use redirect, Symfony can’t even tell if it is an Ajax call or not without additional GET parameter (ugly!).

Tips:

  • On non-Ajax “post” forms, use forward and then use javascript to redirect user. For example display “Successfully logged in, please wait while we redirect you to your dashboard in 10 seconds, click here if this takes too long … “

There are still more reasons for using forward instead of redirect with Symfony (better code, cleaner URL, and more) but I’m really hungry at the moment.

Happy coding! :)

3 Comments

  1. halferSeptember 2, 2009 at 4:42 am

    I’d be interested to read more about how using forward() would prevent replay attacks – presumably an intercepted stream can still be played back by a man in the middle regardless? Meanwhile, if forward() is used, most users will use their back button, and the browser will have no choice but to ask them each time whether they wish to re-submit their POST op, which is disruptive to the browsing experience and may force them to repeat operations that are not idempotent.

  2. SidSeptember 2, 2009 at 10:55 amAuthor

    I did not say forward() would prevent replay attacks. I did write that “You should never rely on browser to not resubmit form data” and that “Your code MUST detect and handle situation where the same data is submitted more than once to prevent issues such as duplicate and more seriously, potential security issue like replay attack”.

  3. SidSeptember 2, 2009 at 11:23 amAuthor

    More discussions on this at http://forum.symfony-project.org/index.php/m/84692/#msg_84692

Leave a reply

Your email address will not be published. Required fields are marked *

*

15 + fourteen =

My Projects
Restaurant Websites
Websites