Hi Pankaj,
If you do not want to use container-supported security, storing information in the session that captures the login is typical. You then need to check the session information in every page which requires login, and delete the information (or invalidate the session) when the user logs out or times out.
Using a hidden field is not at all foolproof, since the field is not hidden from the user (he/she can see it by viewing the page source) and it is easily spoofed. Not all of the requests you get need to come from your forms, anyone with telnet can send you hand-crafted GET/POST requests.
Pankaj Gupta <[EMAIL PROTECTED]>
May 22, 2006 10:07 PM
|
|
Hi,
I want to implement a feature in struts wherein nobody can open a page
directly by copying the url and pasting it in a new browser window.i.e.
any page of the application can only be reached through login page. If
the user pastes the url in the browser, he is redirected to the login
page. For this I am planning to keep the user's role in session scope
and verify it before loading any page. Also I intend to set a hidden
field in the next page to be displayed and check it before loading of
the new page. If the hidden field is not set, the new page wont be
loaded and the user would be redirected to the login page.
Please suggest if it is the right way and if yes how can I set a hidden
field in struts.
regards,
Panks
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
