How Are Facebook Doing These Redirects?

Question

I've come across something that's puzzled me for the past 3 hours regarding Facebook's login procedure.

I visited http://m.facebook.com (with UA Spoofer installed and set to Nokia Lumia User-Agent) and proceeded to log-in whilst monitoring the headers. I purposely entered the wrong password for an account I have.

When pressing log-in it sends a POST request to this URL: https://m.facebook.com/login.php?refsrc=http%3A%2F%2Fwww.facebook.com%2F&refid=8 the status code returns a 200 response code.

Then instantly afterwards it does a GET request to this URL: http://m.facebook.com/login.php?refsrc=http%3A%2F%2Fwww.facebook.com%2F&refid=8&e=1348022&email=frankthebutcher%40hotmail.com&signup_layout=layout%7Cbottom_clean%7C%7Cwider_form%7C%7Cprmnt_btn%7Cspecial%7C%7Cst%7Ccreate%7C%7Cheader_button%7C%7Chdbtn_color%7Cgreen%7C%7CFeb1&li=jFMuUdDWbmFhq8b-zAjEOHnE&_rdr

Which is the URL that says the password was incorrect.

But, where is that redirect coming from? There is nothing in the response headers from the first POST request, and JavaScript isn't enabled.

Try it on Chrome. Would love to know how it's doing that so I can adjust the mobile app I'm developing accordingly.

Solved: In my mobile app I was sending the POST request to the right URL, but the URL string I used was encoded which was causing the problem.

Answer 1

The first POST request is sending back a Location header which tells the browser to step-ahead from this request and proceed with the next. The second request is just the browser then using that new Location supplied and moving forward.

here's what you see from the first POST response:

However, from what I can see it's a 302 (redirection: found) response, not a 200 OK. Something tells me that you're judging the response headers on the final request, not the intermediate redirect/handoff.