52

How does HTTP 302 work? I would like to know the internals

GilliVilla
  • 4,998
  • 11
  • 55
  • 96

6 Answers6

59

You mean how do browsers handle it? The server sends a 302 code along with a Location header, and the browser requests the new URI specified by the Location header instead.

Unlike 301 (Moved Permanently), the browser continues to use the original URI to do requests, in case the 302 code goes away

Michael Mrozek
  • 169,610
  • 28
  • 168
  • 175
  • 3
    Note that until a couple years ago, browsers didn't cache 301s. Now, Chrome does and I believe Firefox does. IE9 will. – josh3736 Jul 28 '10 at 19:57
  • so if its not a browser making the request (and its an application) then http will not auto redirect to https. You will have to manually change your request string to https. – Andy Dec 23 '16 at 23:34
  • I'm confused. Do you mean that HTTP 301 will instruct browsers to store the redirect target in their history and remove the old URL? Because you seem to be saying the opposite. – Pieter Jul 27 '17 at 11:52
  • I can't use the back button in Firefox or Chromium to go back to the original URL. Is there any workaround? – T-Gergely Feb 05 '21 at 00:04
25

The server returns an HTTP response with the code 302, indicating a temporary redirection, and includes a Location: header indicating the new URI, e.g.

HTTP/1.1 302 Found
Location: http://some-other-url

And potentially other headers at the server's discretion.

The browser normally takes this as a directive to automatically make a new, separate request for the other URI specified by the location header. The client (browser) isn't forced to do this (it could, in theory, just display a message to the user, or do whatever else it wants), but that's how HTTP clients usually behave.

Note that since the 302 is a temporary redirection, a well-behaved client will continue to use the old URL in the future, rather than going directly to the new one (301 is a permanent redirection).

Tyler McHenry
  • 74,820
  • 18
  • 121
  • 166
  • 1
    Hint: Read this answer for a deeper understanding. – erbdex Dec 20 '17 at 05:43
  • When "server 1" sends back a 302 to the "client" with the URL for "server 2" that "client" should be re-directed to, does "server 2" know that "client"'s request to it is being made after having been re-directed? I have an application server that is handing a re-direct URL differently when coming via re-direct 302 vs. typing in the URL directly into the browser. – Declan Oct 18 '22 at 15:06
10

From: http://www.ietf.org/rfc/rfc2616.txt and http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

10.3.3 302 Found

The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.

The temporary URI SHOULD be given by the Location field in the response. Unless the request method was HEAD, the entity of the response SHOULD contain a short hypertext note with a hyperlink to the new URI(s).

If the 302 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.

  Note: RFC 1945 and RFC 2068 specify that the client is not allowed
  to change the method on the redirected request.  However, most
  existing user agent implementations treat 302 as if it were a 303
  response, performing a GET on the Location field-value regardless
  of the original request method. The status codes 303 and 307 have
  been added for servers that wish to make unambiguously clear which
  kind of reaction is expected of the client.
xgMz
  • 3,334
  • 2
  • 30
  • 23
2

The internals of what? 302 is a return code the server gives the client, what the client does is upto it. The RFCs give guidance on what the client should do, but in the real world 301, 302, 303 and 307 are all handled the same way by the mainstream browsers.

James Antill
  • 2,825
  • 18
  • 16
  • 2
    I have seen IE8 and IE9 behave differently when the location header does not specify an absolute URI ... user beware – felickz Nov 09 '12 at 16:04
1

Just an Addon- Importantly, it is for stop client to hit same server url with same request consecutively/frequently.

A.T.
  • 24,694
  • 8
  • 47
  • 65
0

302 Found:

  • Indicates that the resource requested has been temporarily moved to the URL given by the location header.

  • A browser redirects to this page but search engines don't update their links to the resource.

  • It is recommended to set the 302 code only as a response for GET or HEAD methods.

  • In cases where you want the method used to be changed to GET, use 303.

Seyedraouf Modarresi
  • 1,213
  • 9
  • 14