I agree with what the others said. You can never, and should never, trust anything that the user can change. And you should certainly not be storing the logged in user's id in the query string. I think you may need to read a bit about basic http security. A framework like Struts requires you to actually know what you are doing when it comes to basic web design techniques. It does not give you some sort of 'magic key' that allows you to skip over all that stuff and start writing web applications right away - if you do, they will be riddled with holes.
Btw, there is no way you can do what you're asking. HTTP_REFERER can be altered by the user too. -- If education is too expensive, try ignorance. On Tue, 15 Jul 2003 19:39:36 +0530 sriram <[EMAIL PROTECTED]> wrote: > Hi, > > I am developing a web application in which some parameters are passed through query > string. > > I do not want to allow users to manipulate the query string. If they manipulate, > they should be logged off and taken to login page. > > For ex.., I have a page http://mymachine:8080/appln/test.jsp?user=1004 > In this page, user details are displayed. > > If a user changes the query string - from user=1004 to user=1005 - and clicks ENTER, > then the details of 1005 are being displayed. I want to avoid this. In such cases, > user should be logged off and taken to login screen. > > How can this be done using Struts? Any clue? I believe this can be done by checking > HTTP_REFERER, but I'm unable to get it right. > > Sriram > > -----Original Message----- > From: Greg Hess [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 15, 2003 7:31 PM > To: 'Struts Users Mailing List' > Subject: RE: URL validation with struts??? > > > > > Hi Prashanth, > > I have done this using the Struts validator. I use the mask rule as > follows: > > <form name="serviceProviderForm"> > <field property="URL" depends="required,mask"> > <msg name="mask" > key="error.invalid.ServiceProviderURL"/> > <arg0 key="serviceProvider.url"/> > <var> > <var-name>mask</var-name> > <var-value>^http:\/\/[^ ]*$</var-value> > </var> > </field> > </form> > > There are great examples of using the validator in the Struts distribution. With > this my code need not be concerned with the validity of the url string and is check > by the validation framework on both client side(JavaScript) and server side and I > only worry about errors obtaining a connection to the supplied url. > > Cheers, > > Greg > > -----Original Message----- > From: Prashanth.S [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 15, 2003 9:36 AM > To: [EMAIL PROTECTED] > Subject: URL validation with struts??? > > Hi all, > I need to upload a resource present at a particular location by making user enter a > valid URL...How can i do URL name validation using struts???Is there anything to do > so??Do i need to do this in action form or action class??[what User entered is a > valid url i.e,both name as well as resource present at that url) Thanks in advance > Prashanth > > > > --------------------------------- > Do you Yahoo!? > SBC Yahoo! DSL - Now only $29.95 per month! > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
