Hi, you could obtain session id through session.getId() and put it inside the form as hidden field, after you could verify the correctness.
did I answer your question? Maurizio Cucchiara 2010/9/29 Orpu <[email protected]>: > > Hi All, > > My application is developed using struts framework. Where it takes user id > and password at the time of login and goes to next page. I am using > method="POST" when i am invoking action class as below. > [b] > <html:form action="/login.do" method="POST"> > > Basically i dont have any problem when i am logging after giving user id and > password. > > But i am having security concerns when i am sending user id and password in > url as below > > http://localhost:8080/SecurityTest/login.do?userId=sss&password=sss&step=Login > > With the use of above url in the browser is successfully taking me to the > next page. > > Can any one please help me. How to protect application in this scenario. > > I tried to solve this issue by definig security - constriants in web.xml > file as below > > <security-constraint> > <web-resource-collection> > <web-resource-name>Protected Area with > GET</web-resource-name> > <url-pattern>*/login.do</url-pattern> > <http-method>GET</http-method> > </web-resource-collection> > <auth-constraint/> > </security-constraint> > One more thing i should not put restrictions to other GET methods which were > in the entire application. I should only restrict at the time of loging. > > I know the url-pattern that i am using may resolve this issue. But what is > the correct pattern i have to use. > > Please help me. > > Thanks > Raj > -- > View this message in context: > http://old.nabble.com/Security-Issue-with-GET-method-tp29838122p29838122.html > Sent from the Struts - Dev mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
