Form Variables Visible in URL After Post

Hello All,

I currently show the key/value pairs from form posts in the URL on
some pages after form submission.


"ehLogin.login" is called which contains a form for login. After post,
the form's XEH is "ehLogin.validate". If a user failed login during
validation the validation event called setNextEvent("ehLogin.login")
and persisted some information such as the e-mail address.

I thought, ColdBox was persisting variables in the URL on a
setNextEvent (for some reason) and switched to a runEvent instead. The
form variables are still visible, and, I am condifent some people
won't like seeing their password in the URL.

Who feels like slapping me? I am sure this is a simple configuration
error I missed.

I appreciate your help, everyone!

Aaron Greenlee


Here is the detail doc how to persist variables

setNextEvent('ehLogin.login', persist="email,trackingid")
So this will persist only 2 variables



Thanks for taking the time to respond. To clarify, I have no trouble
persisting values from the request context when I need to. My
unanswered question, is how to prevent the user from viewing their
form post in the URL. Without any event redirection from my handlers,
the user can see the key/values from the form they posted in the URL
of the following page.

Does that make sense?


-Aaron Grenlee

Is your form using a “post” method or a “get” method? If “get”, then that would explain why the values are showing up in the url.

  • Gabriel


It sounds like you are posting the form back to the same event. That is generally regarded as “a bad thing” in the world of OO-ish CF. There are a variety of reasons for this, your example being one of them. If I have correctly deduced that you are posting back to the same event, I would definitely recommend that you rethink your application flow and use a separate action event.

As far as keeping the name/value key pairs from showing up, I would look at what Gabriel mentioned: method=“get” vs method=“post”. A ‘get’ request (form submit) will add everything to the querystring (URL), whereas a ‘post’ request will not.


Thank you, all.

I did not specify "post" or "get" for my form tag's method attribute.
Simple solution.

Matt, to clarify, the form is generated by the "ehLogin.login" event
and posts to "ehLogin.validate". Typing late at night can cause one to
explain things poorly. In the event of a failed login, the
"ehLogin.validate" event redirects the request back to the
"ehLogin.login" event while persisting some information.

I appreciate all your help.

-Aaron Greenlee