I’ve just found the answer. The important point is the http status 301 itself. It is a redirection comand. Why would my page get redirected automagically? If you just pay attention to the POST header, you’ll see that I was POST-ing (to /) with POST /pfw_v2/php4compat/trunk?pModule=6beb006837IDBJG5762e&pSub=6beb006837IDBJG5762e&pAct=6beb0N06837zNJMK5762e HTTP/1.1
Host: 192.168.1.51
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://192.168.1.51/pfw_v2/php4compat/trunk/
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
username=admin&password=rahasia. What happen next, theoritically, as what RFC had to say: every request to / with be fulfilled with the default page. This default page could be anything you’ve set your webserver into. On my webserver, it’s index.php or index.html. So, what the webserver do to fulfill this request? The webserver wouldn’t automagically fetch index.php for, instead, webserver will generate 301 (moved permanently) status which will then be used by the client to craft the request to the “valid” address given by the webserver via 301 status header. Thus my firefox will request index.php. Differs with 307 status, 301 status never ask the browser to keep the last request (means POST may be replaced with GET). Apparently my firefox has broke the rules and thus send GET index.php. And indeed, the page from GET was served for me. There’s no POST data submitted to the “valid” address, resulting in empty $_POST var.

Case closed! Yokatta ne …

Note: I read somewhere yesterday that 301 never forced to maintain last request’s method, instead, we have 307 for that. I dont know which one is right so I’m not sure wether it’s apache or firefox faults.