Sriram,
I would suggest you put sensitive information like that in a user's session
and not in the query string.
thanks,
Amit
-Original Message-
From: sriram [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 15, 2003 9:10 AM
To: 'Struts Users Mailing List'
Subject: URL changed by user - how
If you desparately want to do such things, then may be you can put the
generated
query string in the session and validate it , if the user has changed the
query manually
Panchasheel
-Original Message-
From: sriram [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 15, 2003 10:10 AM
For ex.., I have a page http://mymachine:8080/appln/test.jsp?user=1004
In this page, user details are displayed.
If a user changes the query string - from user=1004 to
user=1005 - and clicks ENTER, then the details of 1005 are
being displayed. I want to avoid this. In such cases, user
From what you've described, you don't need to pass any user number or id.
With the internet, being the stateless beast that it is, how will your
application know that any particular request is or isn't supposed to access
some particular user number?
I think you are going about this the wrong way.
I agree with what the others said. You can never, and should never, trust anything
that the user can change. And you should certainly not be storing the logged in user's
id in the query string. I think you may need to read a bit about basic http security.
A framework like Struts requires you to
5 matches
Mail list logo
