Why doesn't HTTP have POST redirect?

  • HTTP redirects are done via HTTP codes 301, and 302 (maybe other codes also) and a header field known as "Location" which has the address of the new place to go. However, browsers always send a "GET" request to that URL.

    However, many times you need to redirect your user to another domain via POST (bank payments for example). This is a common scenario, and really a requirement. Does anybody know why such a common requirement has been neglected in HTTP specification? The workaround is to send a form (with parameters in hidden fields) with action set to the target location (the value of the Location header field) and use setTimeout to submit the form to the target location.

    Is status code 307 what you're looking for? See my answer below.

  • In HTTP 1.1, there actually is a status code (307) which indicates that the request should be repeated using the same method and post data.

    As others have said, there is a potential for misuse here which may be why many frameworks stick to 301 and 302 in their abstractions. However, with proper understanding and responsible usage, you should be able to accomplish what you're looking for.

    Note that according to the W3.org spec, when the METHOD is not HEAD or GET, user agents should prompt the user before re-executing the request at the new location. You should also provide a note and a fallback mechanism for the user in case old user agents aren't sure what to do with a 307.

    Using this form:

    <form action="Test307.aspx" method="post">
        <input type="hidden" name="test" value="the test" />
        <input type="submit" value="test" />    
    </form>
    

    And having Test307.aspx simply return 307 with the Location:http://google.com, Chrome 13 and Fiddler confirm that "test=the test" is indeed posted to Google. Of course the further response is a 405 since Google doesn't allow the POST, but it shows the mechanics.

    For more information see List of HTTP status codes and the W3.org spec.

    307 Temporary Redirect (since HTTP/1.1) In this occasion, the request should be repeated with another URI, but future requests can still use the original URI.2 In contrast to 303, the request method should not be changed when reissuing the original request. For instance, a POST request must be repeated using another POST request.

    @DavidRuttka, What's the browser support *in the wild*?

    @DavidRuttka you might want to update your answer to take rfc7231 into account (obsoletes rfc2616). Prompting the user is based on a requirement in rfc2616. This requirement is dropped in rfc7231 and rfc7231 also introduces the requirement that 307 redirects must not change request method (which you mention in your quote a the end of your answer).

    Note that according to https://tools.ietf.org/id/draft-hunt-http-rest-redirect-00.html "HTTP redirection codes 301-306 SHOULD NOT be used unless the service provider is aware the client is in fact a user-agent" So it seems ReSTful services should use 308 instead of 301. However this is only a draft.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM