symfony/demo

Should we do 303 redirects upon form submit?

Arkounay opened this issue · 3 comments

Arkounay commented

If I create a CRUD with php bin/console make:crud, when a form is submitted there will be a 303 redirection:

return $this->redirectToRoute('app_post_index', [], Response::HTTP_SEE_OTHER);

in symfony-demo, it's the default redirection (which is 302) that is used:

demo/src/Controller/Admin/BlogController.php

Line 110 in 7e6cc8f

return $this->redirectToRoute('admin_post_index');

303 seems like a better practice:

The HyperText Transfer Protocol (HTTP) 303 See Other redirect status response code indicates that the redirects don't link to the requested resource itself, but to another page (such as a confirmation page, a representation of a real-world object — see HTTP range-14 — or an upload-progress page). This response code is often sent back as a result of PUT or POST. The method used to display this redirected page is always GET.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/303

While it seems 302 is recommended only for GET or HEAD methods:

The HyperText Transfer Protocol (HTTP) 302 Found redirect status response code indicates that the resource requested has been temporarily moved to the URL given by the Location header. A browser redirects to this page but search engines don't update their links to the resource (in 'SEO-speak', it is said that the 'link-juice' is not sent to the new URL).

Even if the specification requires the method (and the body) not to be altered when the redirection is performed, not all user-agents conform here - you can still find this type of bugged software out there. It is therefore recommended to set the 302 code only as a response for GET or HEAD methods and to use 307 Temporary Redirect instead, as the method change is explicitly prohibited in that case.

In the cases where you want the method used to be changed to GET, use 303 See Other instead. This is useful when you want to give a response to a PUT method that is not the uploaded resource but a confirmation message such as: 'you successfully uploaded XYZ'.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/302

It's not super important but is it a better practice to use 303? Should the code be changed to reflect that?

javiereguiluz commented

@Arkounay sorry for the late reply. Thanks for creating this detailed issue. Yes, I think it would make sense to do this change. Would you have some time to create a Pull Request with this change? If you don't have time for it, we'll ask others in the community to contribute this. Thanks.

Arkounay commented

@javiereguiluz No problem thanks for the reply, yes I can create a pull request next week 👍

  • 👍2
javiereguiluz commented

Closing as fixed in #1448.