I'm suggesting you generate a token when rendering a form and store it
as a attribute of the session and as a hidden field in the form. Every
time you get a form submission, compare the request parameter against
the session stored value and process the request. Retrieve and remove
the attribute as soon as a form submission comes in to both flag your
jsp that there isn't already a token out there and help protect against
a double submit. Some users just can't resist that itchy trigger
finger ;-).
--David
Bachler, Elisabeth (Elisabeth) wrote:
Thanks for your response.... Are you saying that everytime the
index.html is executed, I should generate a random number and send it to
the other files. Then compare it with the one I have in the stack ?
Elisabeth
-----Original Message-----
From: David Smith [mailto:[EMAIL PROTECTED]
Sent: lunes, 04 de junio de 2007 14:10
To: Tomcat Users List
Subject: Re: I would like a new session each time I start my application
As an alternative, you could incorporate one time tokens. Generate on
every page request, stored in both session and request parameters and
compare on every submission. If they go out of sync (ie and old one
shows up) you know they spawned a new window. In that case the old
window should be considered abandon. Post a polite error message and
otherwise ignore the request.
The tokens don't have to be complex -- a simple 16 bit random number
should be more than sufficient. You could build it as a filter to help
validate the request before it get's to your action code.
--David
Johnny Kewl wrote:
Cant say I do understand...
Session ID's are almost untouchables... they used by too many things,
authentication, SSO, load balancing, and I'm worried that when the
user does something as simple as a right click and opens a new page,
the app breaks.
I'm not sure what you saying but I would rather go for something like
change credits.
So, user does something that allows them one change... you store that
in session ID, as an attribute, something like,
setAttribute(ChangeCredit, 1); Now they can open 20 pages.... but on
page 5 they make the change....
the attribute is set back to 0;
None of the other pages will allow it.... something like that.
All I think that is happening is you trying to store state in the
browser page, instead of the Session. ie you give them page, they
change, you present them with page that is one state further on... ie
thank you for change, cant change anymore, but user just has to open
new page and they back to the beginning.
But if you store the state in the session.... that wont happen.
Irony is I think you actually need that Session.
Good Luck
----- Original Message ----- From: "Bachler, Elisabeth (Elisabeth)"
<[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Monday, June 04, 2007 12:32 PM
Subject: RE: I would like a new session each time I start my
application
The thing is that my application access a database. When the user
wants to modify the db, I lock the access to this particular action
(and let the user only view the data) using the sessionID.
Now, if the user is "bad"... He can log on once and get the modify
action... Then he can open a new screen and modify things again...
Which is not what I need. Everytime a new screen is open to execute
the application I need a different sessionID. Do you see what my
problem is ? I don't know another way of doing it.
-----Original Message-----
From: Johnny Kewl [mailto:[EMAIL PROTECTED]
Sent: lunes, 04 de junio de 2007 11:07
To: Tomcat Users List
Subject: Re: I would like a new session each time I start my
application
Liz, please tell us what you actually doing and why you need this?
I think there is a conceptual problem...
----- Original Message -----
From: "Bachler, Elisabeth (Elisabeth)" <[EMAIL PROTECTED]>
To: <users@tomcat.apache.org>
Sent: Friday, June 01, 2007 6:57 PM
Subject: I would like a new session each time I start my application
Hi,
I have an application that works under tomcat.
Each time I run my application I have the same sessionID. Is there a
way to generate a differente sessionID each time I start my
application?
Thanks
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
