Technically, it shouldn't happen. The iframe created by your tracking script pointed to /track.htm, so there shouldn't be any GET request to your b.php page.

On the other hand, just thinking out loud here, there're a few scenario that could happen because of "real world" user.

1. The users happen to have bookmark the b.php page, thus causing them to open it using GET when they try to re-open the page using their bookmark.

2. The users tried to refresh the page b.php, then get warned about "Form re-submission". Being clueless as most real user are, they canceled the form re-submission, then click on the address bar and click GO on their browser with the sole intention of reloading the page. This could also cause the GET request to send to the b.php page.

Considering the best practice when designing the page flow for form submission, it might be better for you to only "process" your form data in b.php and then return a 302 Redirect to another page that show the result using a GET request. This will allow users to "refresh" the page without double submitting the form, and also allow user to bookmark the result page too.

Try doing the tracking on the callback of the original request to ensure its loaded?

Also you could look into something like ajaxFormPlugin by malsup

your ajax call doesn't contain method: "POST". This can be the cause.

i would like to suggest to check the permission of your "b.php" page. Please make sure the page has "w" permission for all users. this is a chance for not making a "POST" request.

I know it's a workaround but if, as I suppose, you have a bunch of checks for the $_POST variables, if you receive a GET request you could try replace the POST with the GET:

if (empty($_POST) && !empty($_GET)) $_POST = $_GET;
//here the check of $_POST
//...

since we don't know why this ipads (...apple -.-) have the issue, and between GET and POST there isn't so much difference - at least if you don't need to upload files...

The only way a post form can be sent as get is using script (changing the method attribute directly, or replacing the form behavior for example with an ajax request, binding to the event "submit" another function), so I suggest you to check every script that run in the parent and the children pages.

This doesn't answer your question but as it entails to the GET glitch but as things stand, ~5% of your iPad visitors can't sign up because the code only accepts POST and so far no one can figure this out. So I propose a change of strategy, at least in the mean time.

Preventing CSRF by only accepting POST requests is already known to not work. Your choice of accepting only this request method as a means of security is what ultimately results in the 405. There are better ways.

One example of is using a CSRF token, specifically the Synchronizer Token Pattern.

The idea behind a CSRF token is that when you generate the form, you also generate a "key" which you tie to the form. When that form is submitted, if it doesn't have the key or the key isn't the right one, you don't bother processing the form. The Syncronizer Token Pattern gets fancy in that it changes the expect key each time (in the form field implementation, giving the <input type="hidden"> field a new name attribute each time) in addition to the value.

Have your code in a.php generate a random token and store it as a session variable on the server. Output the token in the form as a hidden field.

Before processing the request in b.php, ensure the token value is in the request data and ensure it has the expected value.

You can first check for $_POST data and if it is missing, check for $_GET data. Regardless of which array contains the data, if the data does not have a valid CSRF token, respond with a 4xx error.

If the token is good, consume the token and process the request. If the token is missing or is invalid, return a 4xx response code.

Another way would be to set your field names to random values each time the form is generated. So instead of <input name="value" type="hidden" value="foo"/> or <input name="bar" type="hidden" value="none"/>.

// ... in an importable file somewhere ...
// Generate our tokens
function token($len = 13) {
    $chrs = 'abcdefghijklmnopqrstuvwxyz0123456789_';
    $str = '';
    $upper_lim = strlen($chrs) - 1;
    for ($i = 0; $i < $len; $i++) {
        $idx = rand(0, $upper_lim);
        $str .= rand(0, 1) ? strtoupper($chrs[$idx]) : $chrs[$idx];
    }
    return $str;
}
function magic_set_function($key, $value) {
    $_SESSION[$key] = $value;
}
function magic_get_function($key) {
    return (array_key_exists($key, $_SESSION) ? $_SESSION[$key] : NULL)
}
function validate_request() {
    $data = !empty($_POST) ? $_POST : $_GET;
    if ( empty($data) ) { return false; }

    // Ensure the tokens exist (hopefully not too costly)
    $field_tokens = magic_get_function('field_tokens');
    if ( $field_tokens) === NULL ) { return false; }

    $csrf_token_name = $field_tokens['token'];
    $given_csrf_token = $data[$csrf_token_name];

    // Get our CSRF token
    $expected_csrf_token = magic_get_function('csrf_token');
    // ensure we're expecting a request / that we have generated a CSRF
    if ( $expected_csrf_token === NULL || 
         $expected_csrf_token !== $given_csrf_token) { 
            return FALSE;
    }
    // After whatever other checks you want...
    return TRUE;
}

function fetch_data() {
    $data = empty($_POST) == FALSE ? $_POST : $_GET;
    if (empty($data ) { throw new DataLoadException(); }

    // Ensure the tokens exist (hopefully not too costly)
    $field_tokens = magic_get_function('field_tokens');
    if ( $field_tokens) === NULL ) { throw new TokenLoadException(); }

    foreach ($field_tokens as $field_name => $token_name) {
        if ( isset($data[$token_name]) ) {
            $data[$field_name] = $data[$token_name];
            unset($data[$token_name]);
        }
    }
    return $data;
}

// first.php/a.php/b.php (wherever necessary)
// ...
$tokens = array();
// our csrf token
$csrf_token = token();
$field_names = array('value', 'bar', 'token');
$field_values = array('value'=>'foo', 'bar' => 'none', 'token' => $csrf_token);
// Tokenize errthing...
foreach ($field_names as $k => $field_name) {
    // and generate random strings
    $tokens[$field_name] = token();
}

// You NEED TO STORE THESE TOKENS otherwise submissions lose context
magic_set_function('field_tokens', $tokens);
magic_set_function('csrf_token', $csrf_token); // dup, but j.i.c.

// first.php
printf('<input type="hidden" name="%s" value="%s"/>', $tokens['value'], $field_values['value']);
// ...

// a.php
// Get the data... (POST/GET)
if (ensure_valid_request() !== TRUE) { handle_invalid_request(); }
$data = fetch_data();
// ...
// Tokenize errthing, generate a csrf, store the values, etc.
// ...
printf('<input type="hidden" name="%s" value="%s"/>', $tokens['bar'], $field_values['bar']);
// ...

// b.php
// ... You get the idea ...

It doesn't answer your question of why 5% are sending GET Requests but it does solve your overall problem on both a security and user level.

EDIT: To specifically answer OPs questions in comments:

"(1) does this require using cookies? (a session means cookies right?)"

Read up on PHP Sessions and look for a session library. Plenty out there, one heavyweight being Zend(http://framework.zend.com/manual/1.12/en/zend.session.html). You can save to a database instead for protected server-side sessions. I made one similar to Kohana's.

(2) I didn't understand the "another way" part - how does it differ from the method you described at first?

First method is to just add a token to your form and look for the token to have the expected value upon submission. If the form doesn't have it, you throw an error complaining.

Second method dynamically sets the field names upon form generation AND adds a token field. Submitting the proper form data from a program, bot, or outside source now first requires fetching the form since they wont know what field names to use (instead of just posting data with set field names).

"(3) most important, I am less worried about CSRF attacks, I just don't want bots/crawler to crawl into my forms, would this method prevent it from them, as opposed to humans? why? and is there an easier method to achieve that?"

If you mean bots like Google/SEO/respectful web-crawlers, robots.txt exists for this purpose. robots.txt is a very simple text file that is placed in your site's root directory. You'll see requests in your webserver's access logs for a /robots.txt. This file tells search engine and other robots which areas of your site they are allowed to visit and index. You can read more on the (Robot Exclusion Standard)4 on many (websites)5.

As the second link notes, don't use robots.txt to hide information. It is a public file and visible to anyone. Also, malicious bots wont respect the file.

I'm not sure if when you say bots you mean just crawlers or spambots (bots trying to submit data) and such. If it's crawlers, robots.txt takes care of them. If it's spambots, you can add a hidden field (hidden with CSS not html) with a common name that when filled out you know is invalid, you can add a captcha, etc, etc, etc.