Post/Redirect/Get

Post/Redirect/Get (PRG) is a common design pattern for web developers to help avoid certain duplicate form submissions and allow user agents to behave more intuitively with bookmarks and the refresh button.

Duplicate form submissions

When a web form is submitted to a server through an HTTP POST request, a web user that attempts to refresh the server response in certain user agents can cause the contents of the original HTTP POST request to be resubmitted, possibly causing undesired results, such as a duplicate web purchase.

To avoid this problem, many web developers use the PRG pattern — instead of returning a web page directly, the POST operation returns a redirection command (using the HTTP 303 response code [sometimes 302] together with the HTTP "Location" response header), instructing the browser to load a different page using an HTTP GET request. A web user can then safely refresh the server response without causing the initial HTTP POST request to be resubmitted.

The PRG pattern cannot address every scenario of duplicate form submission. Some known duplicate form submissions that PRG cannot solve are:

• if a web user goes back to the web form and resubmits it.
• if a web user clicks a submission button multiple times before the server response loads (may be prevented by using JavaScript to disable the button after the first click).
• if a web user refreshes before the initial submission has completed because of server lag, resulting in a duplicate HTTP POST request in certain user agents.

Bookmarks

User agents store only the URI of an HTTP request as a bookmark. Because of this, an HTTP POST request that results in a response based on the body of the HTTP POST request cannot be bookmarked. By using the PRG pattern, the URI of the HTTP GET request can safely be bookmarked by a web user. It's a question of the persistence of the data and the design of the URI whether bookmarking makes sense and is really working at every step of an application.

Proxy Server

Since redirects are using absolute URIs, one has to take care about proxy servers (HTTP->HTTPS) and reverse proxy servers. If your application is such that a user uses a SSL tunnel to reach your site, this can cause problems also. (You may be able to use the REFFER header to discover the domain and port the user is actually entering.)

External links

• Redirect After Post, Michael Jouravlev, August 2004
  • Description of the pattern for J2EE, Michael Jouravlev, August 14, 2003
• GET after POST Adam Vandenberg
• Is the Portlet Programming Model Broken? Subbu Allamaraju
• How to avoid POSTDATA resend warning Anis uddin Ahmad