Thursday, 17 February 2011

"HTTP Redirects considered harmful"

To those of you not "in the know", the title above refers to that most famous of computer science literary pieces, written by dutch IT professor Edsger W. Dijkstra.

"Go-to statement considered harmful"

Most software designers in general agree with the premise written above. And so, a great number of applications have been designed very carefully without anything approaching "goto statements".

However, software designers would not be software designers if they couldn't find a way around this.

I am talking about the ability to create "redirect" http requests and "forward" requests. Once more the difference:

  • "redirect" requests tell your browser to go someplace else
  • "forward" requests are done at server level, and your browser is ignorant of this fact
  • javascript: window.location = "something else"; (this particular one is a clue that someone somewhere is having to hack his way through problems)

I've seen some examples of the problems that can arise, when used too much or wrongly, to wit the following:

  • redirecting an http error to an error page. The error page can be found, returns HTTP code 200 ("Ok") and the browser loses any knowledge that anything went wrong. (A rather severe problem when dealing with REST services.)
  • forwarding to a different url, or a different webserver for that matter, causing the original request to be lost. (for example, you may lose the ip address of the browser that sent the original request. this causes the problem of no longer accurately validating requests based on ip.)
  • the dreaded "The site is redirecting the request in a way that will never complete.", meaning that it's possible that our redirects are stuck in a nice little loop.

A lot of these redirects and forwards grouped together can cause an application to become a truly dizzying maze that's impossible to analyse and might just provide a severe performance hit.

Some examples that make use of it:

  • apache mod_proxy
  • javascript: window.location = ""
  • javascript: top.location = ""
  • response.sendRedirect(url);
  • request.getRequestDispatcher(new_url).include(request, response);
  • getRequestDispatcher(new_url).forward(request,response);
Please try and limit these to as few as possible. It will make your life easier. I promise.

No comments:

Post a Comment