On 13/01/2012 23:04, Shing Wai Chan wrote:
> Hi,
>
> I am looking at
> http://java.net/jira/browse/SERVLET_SPEC-14
> ("Require FORM auth to issue 303 redirects")
>
> Note that 303 is only in HTTP/1.1, not HTTP/1.0.
> In section 13.6.3.1 of servlet spec 3.0, it only mentions "redirects"
> with no mention of status code.
> In section 10.3.4 of RFC 2616, we have
>
> Note: Many pre-HTTP/1.1 user agents do not understand the 303
> status. When interoperability with such clients is a concern, the
> 302 status code may be used instead, since most user agents react
> to a 302 response as described here for 303.
>
> So, it seems that some of the client may not understand 303.
That may have been true when RFC2626 was written. I am not so sure it is
true now. It was a browser treating a 302 like a 307 rather than a 302
that triggered a problem for a Tomcat user the raised my awareness of this.
> I am not sure whether we should mention the status code in this case.
Some hard data on how various clients respond to 302, 303 and 307 could
be useful. I'm happy to do a little research in that area if folks think
it would help.
Assuming that recent browsers do correctly respond to a 303 then I think
the Servlet spec should indicate at least a preference for a 303
redirect after FORM auth for HTTP/1.1 (and later) clients. Older clients
will have to continue with a 302.
Mark