[nycphp-talk] back button, page timeout, sessions
Adam Maccabee Trachtenberg
adam at trachtenberg.com
Fri Jan 30 14:48:37 EST 2004
On Fri, 30 Jan 2004, Chris Shiflett wrote:
> --- Adam Maccabee Trachtenberg <adam at trachtenberg.com> wrote:
> > Roy Fielding would be so proud. If you read the HTTP RFC, you see
> > that you're not supposed to alter any content as a result of a GET
> > request. See section 9.1.1 of RFC 2616:
> >
> > > In particular, the convention has been established that the GET and
> > > HEAD methods SHOULD NOT have the significance of taking an action
> > > other than retrieval. These methods ought to be considered
> > > "safe". This allows user agents to represent other methods, such as
> > > POST, PUT and DELETE, in a special way, so that the user is made
> > > aware of the fact that a possibly unsafe action is being requested.
>
> This is what he was referring to during my talk, if you remember. :-)
How do you think I know about this? :)
> Rasmus mentioned (with a hint of pride, actually) that he is largely
> responsible for this problem, and register_globals is a fundamental
> factor. Because PHP developers don't have to even know what the request
> method is, they are likely to not pay any attention when deciding whether
> to take some important action. This is yet another reason why disabling
> register_globals is a good idea.
I would actually have to say Rasmus is probably right.
-adam
--
adam at trachtenberg.com
author of o'reilly's php cookbook
avoid the holiday rush, buy your copy today!
More information about the talk
mailing list