Hans Bergsten wrote:
> If you use POST as intended, it's only for requests that change
> something on the server.
Actually, to be clear, the way I believe it works is that POST must be
used for things that change something on the server, but you're free to
use POST anytime even if it doesn't change anything on the server --
such as when passing 2K of parameter information.
> I feel that the best thing is to
> always redirect to the applications main page if the request
> that triggered the login form to be displayed was a POST request,
Well, if you know for a fact that the original request was a POST that
wouldn't change something on the server, like a username/password
submit, then you can treat it like a GET. But you need to be 100%
sure.
> A possible way out for POST requests is to keep the current user's
> name in a hidden field in the POST form. It will then end up being
> saved as a hidden field also in the login form. In the authentication
> code you can then check if the new user is the same as the old user,
> and only forward to the originally requested URL if they are the same.
Except that's pretty easy to fake. I'd recommend using an id value
which corresponded to a data structure on the server that contained the
username.
-jh-
--
Jason Hunter
[EMAIL PROTECTED]
Book: http://www.servlets.com/book
2.0 to 2.1: http://www.javaworld.com/jw-12-1998/jw-12-servletapi.html
2.1 to 2.2: http://www.javaworld.com/jw-10-1999/jw-10-servletapi.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
