On Friday, Mar 7, 2003, at 14:16 US/Eastern, Rick Reumann wrote:
Very interesting, thanks for the information. Can this kind of behavior
be achieved though simply by hitting a "browser" back button? I wouldn't
think that would be possible without using javascript to resubmit the
page or to make sure a fresh page was always being looked at?
Sorry to drop in like that, but what is the problem with using Tokens? just doing a setToken() before you forward to a jsp page, then doing a isTokenValid() when the action is called, usually on page submit, is enough to stop anything. Even if they click the back button then hit submit, won't work. If they reload the page with the form, they get a new token since reloading calls the action which sent them to the page with the token in the first place. So far it works for me, and in the isTokenValid() check I just forward to a 'you can't resubmit this page dorkie, or you'll give me headaches' page, and all is just fine... plus you can do it in different languages by putting the warning text in the resources.properties file. what more is needed here?
