(1) What happens if the user refreshes the page before the redirect response coming back? At that time, the newest action in the browser is still the POST request, wouldn't that lead to resubmission?
There are 2 cases:
CASE 1
- User requests form
- User submits form
- Server processes form and sends a redirect
- User decides to cancel the page before the redirect request has arrived
In this case, the user cannot refresh the page because the refresh button is in Cancel mode. So the user must cancel and then refresh. So the user cancels the request and refreshes the page. The browser will issue the last GET request in the history which is:
1. User requests form
CASE 2
- User request the form
- User submits the form
- Server processes the form and sends a redirect
- The browser receives the redirect and issues a GET to the redirect URL
- While the server is processing the request, the user decides to cancel
In this case the user cannot refresh the page and must cancel the request in order to refresh. So the user cancels the request. The user then refreshes, so the browser will issue the last GET request in the history which is:
4. The browser receives the redirect and issues a GET to the redirect URL
Here is the important part: POST requests do not remain in the browser history as mentioned here.
(2) What happens if the user click "back"? Will this lead to resubmission?
No, it will not. The submission can only happen if the user presses the form submission button.
If you did not do the PRG pattern, then the browser will notice that upon clicking the back button a form submission may occur, it will prompt the user:
The page that you're looking for used information that you entered. Returning to that page might cause any action you took to be repeated. Do you want to continue?
Or something similar depending on the browser.