-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Alaska,
Alaska Winter wrote:
| what happens if user hits the back button to catalogue. Perfectly valid
| thing to do.
If they submit an old (expired) token, then you simply ignore the
request. You will probably want to notify them why the request
I would add a one time token to the request.
Do you mean on the client side using javascript or something?
Alaska Winter wrote:
I would add a one time token to the request.
Do you mean on the client side using javascript or something?
Nope... just either a hidden field in the form or if you are building
URLs w/ parameters, just add it in. Very simple stuff.
1. tomcat receive's request
i think I understand:
-- generate unique token=xyz123 and store in the session
-- generated catalogue content so that addToCart url's look like this in the
html source:
http://my.domain.com/addToCart.do?itemId=HB0019?token=xyz123
-- when users adds an item to the cart, check form data token
