A semi-secure solution is not to use a sendRedirect bat rather an html page
that redirects the browser. this also enables you to send post info. simpty
embed a form to with the information in hidden input tags, and submit the
form in the body.onLoad event.
As i started is not a really secure selution since anyone can save the html
you create and use the saved version instead of regenerating it, but this
process isn't as easy as bookmarking a get url.
If you redirect to a url within the same http server i think there are other
posibilities.
One last option is to complety embed that url in your own page. meaning:
reading the entire content of the url. then send it as your own output. This
is a lot of work, due to the modifications required to make all the links
work.
lee
Lee Elenbaas
RTS Israel
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
(972) 2 5810748 ext: 207
Fax: (972) 2 5815507
-----Original Message-----
From: A mailing list about Java Server Pages specification and reference
[mailto:[EMAIL PROTECTED]]On Behalf Of S Jayabose
Sent: Wednesday, October 27, 1999 5:43 PM
To: [EMAIL PROTECTED]
Subject: sendRedirect get vs post
hi everyone,
does anyone know if it is possible to use sendRedirect() such that the
browser will send a POST instead of a GET to the new URL?
the problem I am trying to solve is this:
I have a site with registered users. A component of the site has a form that
submits to a 3rd party server(a user id is submitted to the 3rd party server
upon submission). Before the user leaves my site I need to record the fact
that they are going to the 3rd party site.
So the first idea was to have the form submit to a servlet/jsp (this records
the hit on my server) then
sendRedirect("http://www.3rdparty.com?userID=xxx?param1=xxx")
the problem with this solution is that the userID will be visible in the
location bar. anyone could play with the userID an potentially access
another user's data.
But if I sendRedirect as a POST instead of a GET, and write my parameters
into the Request header, the userID would not be visible. Not secure, but
suitable for this app.
Does anyone have any experience with this, or a similar, issue?
thanks.
e. [EMAIL PROTECTED]
v. (617) 452-1346
f. (617) 452-1399
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
