Timed Redirect

[blm126]

I was bored

[mwinter]

I am trying to achieve that "timed redirect" you see on a lot of forums.

Can I ask why? Forums shouldn't do it at all, nor should many other Web applications. Upon successful login, they should issue a temporary redirect (307), set cookies (if necessary), and go straight to the destination.

Logging in successfully is not an exceptional case and doesn't deserve a separate page, especially as it might necessitate explicit action from the user should scripting or meta refreshes be disabled. Simply arriving at the destination is indication enough.

Mike

[blm126]

Can I ask why? Forums shouldn't do it at all, nor should many other Web applications.

Sure,I'm attempting to write a simple CMS(for my own use). I would like to use it in the admin center to provide extra choices. Say for instance the user creates a page. A page would show saying something like "Your browser should redirect you to the admin panel shortly, if not click here to go there now. You may also click here to view the new page.". It is not necessary but could streamline(At least I think so) the admin panel.

Upon successful login, they should issue a temporary redirect (307)

How do you do that? I know how(in PHP) to redirect to a new location like this.

PHP Code:

<?php
header('Location: http://somesite');
?>

The PHP manual says that that will also send a 302 header. What is the difference between 302 and 307?

[Twey]

302 Found

The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.

The temporary URI SHOULD be given by the Location field in the response. Unless the request method was HEAD, the entity of the response SHOULD contain a short hypertext note with a hyperlink to the new URI(s).

If the 302 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.

Note: RFC 1945 and RFC 2068 specify that the client is not allowed
to change the method on the redirected request. However, most
existing user agent implementations treat 302 as if it were a 303
response, performing a GET on the Location field-value regardless
of the original request method. The status codes 303 and 307 have
been added for servers that wish to make unambiguously clear which
kind of reaction is expected of the client.

307 Temporary Redirect

The requested resource resides temporarily under a different URI. Since the redirection MAY be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.

The temporary URI SHOULD be given by the Location field in the response. Unless the request method was HEAD, the entity of the response SHOULD contain a short hypertext note with a hyperlink to the new URI(s) , since many pre-HTTP/1.1 user agents do not understand the 307 status. Therefore, the note SHOULD contain the information necessary for a user to repeat the original request on the new URI.

If the 307 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.

This one always makes me laugh:

410 Gone

The requested resource is no longer available at the server and no forwarding address is known. This condition is expected to be considered permanent. Clients with link editing capabilities SHOULD delete references to the Request-URI after user approval. If the server does not know, or has no facility to determine, whether or not the condition is permanent, the status code 404 (Not Found) SHOULD be used instead. This response is cacheable unless indicated otherwise.

The 410 response is primarily intended to assist the task of web maintenance by notifying the recipient that the resource is intentionally unavailable and that the server owners desire that remote links to that resource be removed. Such an event is common for limited-time, promotional services and for resources belonging to individuals no longer working at the server's site. It is not necessary to mark all permanently unavailable resources as "gone" or to keep the mark for any length of time -- that is left to the discretion of the server owner.

... and this one makes me seriously worry about the state of the Web after HTTP2.0 comes out:

402 Payment Required

This code is reserved for future use.

[blm126]

Thanks Twey, but I still don't quite understand. I read through them, but they appear to say almost the exact same thing. What's the difference, or are they interchangeable?

[mwinter]

First of all, I was mistaken: 303 (See Other) would be the correct response, not 307 (Temporary Redirect).

I read through them, but they appear to say almost the exact same thing. What's the difference, or are they interchangeable?

The difference is in the note that accompanies 302 (Found).

The response code originated in HTTP/1.0, and it meant for a request to be repeated using a different request URI, but that the user had to asked to confirm it. Unfortunately, many user agents didn't do either: requests were converted to GET requests (rather than repeated as the same type), and the user was never asked to confirm the redirection.

In HTTP/1.1, 303 (See Other) and 307 (Temporary Redirect) were introduced, and 302 (Found) was redefined. See Other became a formalised version of the badly implemented Found: requests are converted to GET, and the redirection is transparent to the user. Found was changed to be like See Other (convert to GET), except that the mandatory confirmation was retained. Finally, Temporary Redirect became the original 302: requests are repeated (not converted), and confirmation is required.

Alan Flavell has written about this in an article called Redirect in response to POST transaction.


As the forum-like process is a transition from a POST request (the login) to some final destination (made using a GET request), 303 See Other is the right way to do it.

Mike

[blm126]

Ok, just to make sure I understand. This is what I should do to redirect correctly in PHP.

PHP Code:

<?php
header('HTTP/1.1 303 See Other');
header('Location: http://somefile');
?>

[mwinter]

Ok, just to make sure I understand. This is what I should do to redirect correctly in PHP.

PHP Code:

<?php
header('HTTP/1.1 303 See Other');
header('Location: http://somefile');
?>

Or (in PHP 4.3.0 or later):

PHP Code:

header('Location: <absolute-URI>', true, 303); 


which is effectively the same thing. You should also follow the specification's SHOULD statement and include a link as content in the response. Though there are relatively few HTTP/1.0 clients left (NN4 is one of them), it's still a good thing to do.

This one always makes me laugh:

410 Gone

...

Errm, why?

Joking aside, the 410 (Gone) status could actually be useful if it was convenient to use. The typical 404 (Not Found) response implies that there was something wrong with the request; that the URI was wrong, somehow. This is misleading if the URI was right, but the content has been removed (if it's been moved, a 301 (Moved Permanently) redirect should be set up), and this is where 410 would be handy. The user can know for certain that whatever they were looking for can't be found at that site, and they should go elsewhere.

Mike

[Twey]

I understand that. It's just a little abrupt. I guess my sense of humour is slightly odd.

[blm126]

This is really interesting. Does anyone know of any good resources to learn more about this? I have found the w3 specs, but I'm looking for a list of what different browsers support. I have never really spent the time to learn that much about http, and now that I am I see a lot of interesting things you can do with it.For example the 204 No Content and 205 Reset Contents status codes look useful.