RE: Disallow user to modify URL in browser address bar

Fri, 22 Aug 2003 07:48:37 -0700 

This looks reliable enough, but still i would suggest to do a role and user
chec on each page (only if the application requires it)

thanks
-raj



                                                                                       
                                                
                      sriram                                                           
                                                
                      <[EMAIL PROTECTED]        To:       "'Struts Users Mailing 
List'" <[EMAIL PROTECTED]>                
                      h.com>                   cc:       Rajendra X. 
Yadav/EMPL/India/[EMAIL PROTECTED]                                  
                                               Subject:  RE: Disallow user to modify 
URL in browser address bar                        
                      22/08/2003 06:13                                                 
                                                
                      PM                                                               
                                                
                      Please respond to                                                
                                                
                      "Struts Users                                                    
                                                
                      Mailing List"                                                    
                                                
                                                                                       
                                                
                                                                                       
                                                




Rajendra,

I've used the following code in my .jsp page:

<%
if ((request.getHeader("referer")=="") || (request.getHeader("referer")
==null)) {
%>
             <jsp:forward page="../jsp/logoff.jsp"/>
<%
}
%>

If the user tries to manipulate the URL in the address bar, "referer"
becomes null.

It works..but not sure how reliable is this!

Sriram

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, August 22, 2003 2:09 PM
To: Struts Users Mailing List
Subject: Re: Disallow user to modify URL in browser address bar



If the user is allowed to view the page, then no problem. If he is not..
then you should have some sessionid authentication and user role and
privilige authentication in every page.

I think that's the only way of preventing a user to go to a restricted
page.

thanks
-raj




                      sriram

                      <[EMAIL PROTECTED]        To:       "'Struts Users
Mailing List'" <[EMAIL PROTECTED]>
                      h.com>                   cc:

                                               Subject:  Disallow user to
modify URL in browser address bar
                      22/08/2003 11:45

                      AM

                      Please respond to

                      "Struts Users

                      Mailing List"







How to identify if user has manipulated the URL in Address Bar of the
browser?

For ex., the application displays a page with the following URL:

http://localhost:8080/app/str/testview_srchpost.do

Now, the user modifies the URL in the address bard. Instead of
testview_srchpost.do, user types testtwoview_srchpost.do and clicks ENTER.

I want to restrict such types of URL modification Struts application. I
should take the user to a default access denied page when ever user does
such changes.

How to identify this action of the user? Pl. give some ideas.







---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to