Hi Andreas. You only need to use the token in pages that have forms, because
this is the only situation in which you are concerned about this problem
happening. So, if you have come upon the first page in a series of forms,
set the token upon hitting that first page, and do this for each consecutive
participating form in the wizard. That way, if you made it to the third
page, you will have generated 3 different tokens of which you used 2. The
third token is in session unless the session is lost. The hidden tag IS
still in the page however. So, if you go away to have a Hoagie(I'm from
Philly, its a sub sandwich) and return in 40 minutes, and the session has
been lost, the hidden field value will not match the value in session
because it wont be there. Walla! It wont submit. You just need to make
sure that the user is forwarded to an appropriate page, like either the
forst page in the wizard or somewhere else.
----- Original Message -----
From: "Andreas Prohaska" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 12, 2001 4:00 AM
Subject: RE: Handling session timeouts
>
>
> Of course, tokens will help here. I could also put a special attribute
> into each session and check this attribute in each action. But there are
> two points I don't like here.
>
> * There must be at least one action where I create this attribute. And at
> least in this action I do not know, if I have a new session or a re-
> created one. To make the problem worse we do not require the user to log
> in. So we have no special login page we could use for this purpose.
> Basically the user may visit almost any page first.
>
> * I have to check for this attribute in *every* action and on *every* JSP
> page. This could be done by creating my own Action base class, of
course,
> but somehow I don't like the idea (however I can't say why :-) ).
>
> I don't really know how to solve the problem with the JSPs. I would have
> created a special tag that checks if the session is new or not. This is
> bad but seems to be the only solution. Besides, I would never call JSPs
> directly, but some people might want (or have) to do this.
>
> I didn't know that Servlet 2.3 will solve these problems, but what can
> we do until then?
>
> andreas
>
>
> > -----Original Message-----
> > From: Jonathan Asbell [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, June 12, 2001 6:07 AM
> > To: Craig R. McClanahan; [EMAIL PROTECTED]
> > Subject: Re: Handling session timeouts
> >
> >
> > No Craig. If his session times out, it will loose the token
> > in the session.
> > Thus the page will not submit because the token in the
> > session will not
> > match the one in the hidden field.
> >
> >
>
>
