Struts and web browser already verified it for you. The whole point of establishing a session is to correlate a browser to the server. Browser already sends a cookie containing session ID to the server along with each request. So as long as you can retrieve the user object from the session, corresponding to incoming request, you know that you are dealing with the right guy.
Search keyword: "session tracking". On 4/18/05, Yan Hu <[EMAIL PROTECTED]> wrote: > I need to check if a user is the one who has permission to a certain action. > His role is stored in the database, for example user.isStudent. > The whole student object is stored in the session after he logs in > successfully . > From that point on, every time he sends a request that invokes an action , > I need to verify if this student is who he claims he is. I could > include a hidden field for example, his email in every page I send back > to him and get this property back to verify who he is. I was wondering > if this approach is problematic since he could manipulate the hidden field. > Any better solutions to that? Thanks a lot! --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
