[
https://issues.apache.org/struts/browse/STR-2144?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul Benedict updated STR-2144:
-------------------------------
Fix Version/s: (was: Future)
1.4.0
> Make tokens work in a multi-frame environment
> ---------------------------------------------
>
> Key: STR-2144
> URL: https://issues.apache.org/struts/browse/STR-2144
> Project: Struts 1
> Issue Type: Improvement
> Components: Core
> Affects Versions: 1.1.0
> Environment: Operating System: All
> Platform: All
> Reporter: Jean-Baptiste Nizet
> Priority: Minor
> Fix For: 1.4.0
>
>
> Tokens are useful to prevent multiple submissions in case of non-idempotent
> actions. The problem with the current implementation is that the same token
> key
> is used for all the actions of an application. This means that if I use
> several
> browser windows or tabs and initiate two different token-based actions, only
> the
> last one will work, because all the first token will be replaced by the second
> one in the session.
> A possible solution would be to use the following mechanism.
> When saveToken() is called, instead of saving the generated token (example:
> "t1") in the session using the key org.apache.struts.action.TOKEN, save it (or
> save an empty string or anything else) in the session using the token as a key
> (example: the session contains t1=""). At the same time, put the token in the
> request, using the org.apache.struts.action.TOKEN constant as a key (example:
> the request contains org.apache.struts.action.TOKEN="t1").
> When the form tag is used: check if the request attribute
> org.apache.struts.action.TOKEN exists. If it exists, get its value and
> generate
> the hidden field (example: <input type="hidden"
> name="org.apache.struts.action.TOKEN" value="t1"/>).
> When isTokenValid() is called: get the value of the request parameter
> org.apache.struts.action.TOKEN (example: "t1"), and check if there is a
> session
> attribute with this value (example: if the session contains an attribute named
> "t1", then the token is valid).
> This solution solves the multi-window problem, but introduces two new
> problems:
> 1. It could clutter the session with tokens if the user decides not to perform
> the action for which the token has been generated.
> 2. It's not possible anymore to generate and save a token in a request, and to
> verify the token 3 or 4 requests later. This is especially important to allow
> validation without losing the token.
> To solve the second problem, the user would have to include the token
> parameter
> in each request after the generation of the token (using the form tag, or
> html:link with transaction="true"), and the request processor would have to
> extract the token parameter from the request and to put it in the request
> attributes at each request. It would also have to append the token parameter
> at
> the end of the URI for redirect forwards.
> What's your opinion? Am I asking too much?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
