>>Works well when deployed in a trusted environment >like intranet. (But >>no server side protection...) > >You *always* need server side checking, even >in "trusted" environments. >Client side checking is a luxury for the user, >nothing more.
Agree :-) > >>-There is no way to avoid ActionForm with session >>scope to be populated with data comming from an >>invalid request (with a bad token). > >I'm still not sure why this is a problem. Even if >the form contains bad >data, nothing will be done with the data if you >check for the bad token and >forward to an error page. Oki, let say the user double click on the submit button, so you have request A and Request B. A is valid and is been processed when B reach the server. The session ActionForm is populated with B's data while A is still processing the same bean. You have a race and there is no way to avoid it. Per example, Struts may be calling the reset method on the session ActionForm for B when A will be accessing the ActionForm data. ... Anything can happen :-) Hope it's more clear ... :-) Thanks for your help anyway :-) /David P.S.: In fact it seem to me to be a more general race problem (i.e.: When you have a session ActionForm and 2 requests using the same ActionForm you have a race). __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
