Thanks.

That looks liek what I would do if I am generating the redirection myself, and handling it directly in my script rather than passing it on to the client. However, why don't I just use the following:

For my test cgi script, and using my client scriptlet, that gives me the following:

HTTP/1.1 302 Found
Connection: close
Date: Thu, 27 Sep 2012 15:43:16 GMT
Location: http://localhost:9080/cgi-bin/cgi.redirect.pl
Server: Apache/2.2.16 (Win32) mod_ssl/2.2.16 OpenSSL/0.9.8o PHP/5.3.3
Content-Type: text/plain
Client-Date: Thu, 27 Sep 2012 15:43:16 GMT
Client-Peer: 127.0.0.1:9080
Client-Response-Num: 1
Client-Transfer-Encoding: chunked
Client-Warning: Redirect loop detected (max_redirect = 0)

<!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-U
+S">
<head>
<title>Redirection Test</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1
+" />
</head>
<body>
<p><a href="http://www.google.ca">Go To Google</a></p>
</body>
</html>
[download]

If I get a redirection, the only thing I ought to do in this use case is pass it on to whatever client sent a request to my CGI script, and it looks like "print $response->as_string;" will do that: request parameters and all. It is true I need to store some data in this eventuality, but that is just an extra function call inside the conditional block that checks to see whether or not the response code is between 300 and 399 inclusive., That, and not allowing my code to follow redirections, ought to suffice. Is there any reason to expect that to break?

Thanks again.

Ted

However, why don't I just use the following:

I don't know, doesn't make sense to me -- you're not a proxy, so why act like a proxy -- either you're making requests on behalf of a user or the user is making the requests -- redirecting a user to some other site based on a request you generated to that other site, smells like CSRF

Is there any reason to expect that to break?

Sure, if the other site changes, say to ban your client (for TOS) or prevent CSRF :)

But I'm not really sure what you're doing :)

Actually, the only reason I am investigating this is that the other site requires me to do this. That is, the web service I am using may or may not redirect me to another of their services based on the data I submit to them, which is data I receive in a request made by my client. I would be much, MUCH happier if it wasn't necessary. The service involved deals with transaction processing. When my client is dealing with those of their customers that do not have extra security features, then I can process as I always do. I can not know, before hand, whether or not a given request will be redirected since neither my client nor I can know whether or not their customer has an account with these extra security features. That is something the service I am using can determine only after I submit the raw data to them. But, if the costumer has an account with extra security, fraud prevention features, then the service I use requires me to redirect them to another of their services (using the redirection data they send back to me - which is different with every request), so the customer can enter data that is known only to them, and then the service I am using sends the result (which I would have otherwise processed normally), to a callback CGI script, so I can store the result and provide my clients with accounting, activity and risk management reports. This is something new that the service I am using hit me with only a few days ago. Thus, the other sites TOS actually requires me to do this, adaptively, based on what response they decide to send back to me.