http://bluehorn.co.nz/2009/08/29/symfony-redirect-vs-forward/ New Zealand Web Design & Development (PHP 5, MySQL, Symfony Framework, Apache, Linux) Fri, 09 Dec 2011 18:27:36 +0000 hourly 1 http://wordpress.org/?v=3.2.1 http://bluehorn.co.nz/2009/08/29/symfony-redirect-vs-forward/comment-page-1/#comment-1029 Sid Tue, 01 Sep 2009 22:23:24 +0000 http://bluehorn.co.nz/?p=284#comment-1029 More discussions on this at http://forum.symfony-project.org/index.php/m/84692/#msg_84692 More discussions on this at http://forum.symfony-project.org/index.php/m/84692/#msg_84692

]]> http://bluehorn.co.nz/2009/08/29/symfony-redirect-vs-forward/comment-page-1/#comment-1028 Sid Tue, 01 Sep 2009 21:55:39 +0000 http://bluehorn.co.nz/?p=284#comment-1028 I did not say forward() would prevent replay attacks. I did write that "You should never rely on browser to not resubmit form data" and that "Your code MUST detect and handle situation where the same data is submitted more than once to prevent issues such as duplicate and more seriously, potential security issue like replay attack". I did not say forward() would prevent replay attacks. I did write that “You should never rely on browser to not resubmit form data” and that “Your code MUST detect and handle situation where the same data is submitted more than once to prevent issues such as duplicate and more seriously, potential security issue like replay attack”.

]]> http://bluehorn.co.nz/2009/08/29/symfony-redirect-vs-forward/comment-page-1/#comment-1025 halfer Tue, 01 Sep 2009 15:42:50 +0000 http://bluehorn.co.nz/?p=284#comment-1025 I'd be interested to read more about how using forward() would prevent replay attacks - presumably an intercepted stream can still be played back by a man in the middle regardless? Meanwhile, if forward() is used, most users will use their back button, and the browser will have no choice but to ask them each time whether they wish to re-submit their POST op, which is disruptive to the browsing experience and may force them to repeat operations that are not idempotent. I’d be interested to read more about how using forward() would prevent replay attacks – presumably an intercepted stream can still be played back by a man in the middle regardless? Meanwhile, if forward() is used, most users will use their back button, and the browser will have no choice but to ask them each time whether they wish to re-submit their POST op, which is disruptive to the browsing experience and may force them to repeat operations that are not idempotent.

]]>