|
|
That happens because browser asks the permission to resubmit the form (the one you submitted by pressing "Weiter" button in step 1.). From browsers perspective that is correct "Back" button functionality. I would say this is correct, any web form on internet would work like that. So I would say this is not a bug. |
|
|
|
I agree this is not a bug, but it could be avoided for better usability with this mechanism: http://en.wikipedia.org/wiki/Post/Redirect/Get |
|
|
|
sure, this idea is well known and we will implement it one day, just we cant implement it right now due to..
Imagine use case - standard shop form containing few INPUT fields and few hidden parameters. When form is submitted shop interprets these parameters and performs actions. Yes - here we could collect them and transfer/redirect (if needed) to (same, dedicated, another) view after form is posted by attaching them to header location.
But what if you need additional form parameters?
Yes, user could add them to form and we can dinamically transfer them to next page. But here comes possible security issues, xss or so. So - we need to add some additional input sanitizing functionality to filter/check input (which may later be used on page or so). We dont have it and this feature can not be implemented in next patch just like that. This feature can be implemented ONLY in next major version with additional warning about upcoming change.
What YOU can do (quick and dirty fix) for your projects if this drawback really annoys and you are ready to take responsibility - change form(s) type(s) from POST to GET (like it is now in search), but this means that your shop will expose some user input..
Also - can you enter this feature request to OXID user voice (http://oxid.uservoice.com/forums/31940-feature-requests)? |
|
|
|
FYI: The same problem also appears if you goto list page, select some filters, click on an article and then use the "back"-button. |
|
|
|
After some discussions in team, we decided to do more complex solution to solve this problem in general in entire eShop. Need to prepare the concept for that, which would cover all the cases and handle transactions properly. So the fix for that will be prepared in some later versions. |
|
|
|
Just a few thoughts: If action is performed right after post, and then the redirect leads to a generic page (like "/basket"), no additional input sanitizing is neccessary. I wrote a small component based on the existing redirect in oxcmpbasket for testing purposes which i attached (This is not meant as a solution, just to test the idea).
This fails if a) output is based on actions in view, like "Entry saved", or b) if form params are inserted in output, like in the form to subscribe the newsletter. There could be a special place in the session to store those and output on redirected page (like in oxutilsview::addErrorToDisplay) or those could maybe be passed as GET params to the next page. |
|
|
|
As I wrote to the related bug comments:
We checked the case and looks like it's quite complicated. The regeneration of session ID is implemented for security purposes. So when you click Back on browser, after the form is submited, it tries to get user back to previous page WITH previous session. That's leads to such cases as described.
One of possible solutions would be implementing the PRG pattern in eShop entirely, for all the forms. but that is also related with data handling during the order in various circumstances. So we tend to go for more general solution for entire shop.
We included this task to our backlog, to solve that kind of issues in one of further version releases. Entry here is closed. |
|
