struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Benedict (JIRA)" <>
Subject [jira] Updated: (STR-2144) Make tokens work in a multi-frame environment
Date Tue, 03 Jun 2008 21:30:06 GMT


Paul Benedict updated STR-2144:

    Fix Version/s:     (was: Future)

> Make tokens work in a multi-frame environment
> ---------------------------------------------
>                 Key: STR-2144
>                 URL:
>             Project: Struts 1
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 1.1.0
>         Environment: Operating System: All
> Platform: All
>            Reporter: Jean-Baptiste Nizet
>            Priority: Minor
>             Fix For: 1.4.0
> Tokens are useful to prevent multiple submissions in case of non-idempotent
> actions. The problem with the current implementation is that the same token key
> is used for all the actions of an application. This means that if I use several
> browser windows or tabs and initiate two different token-based actions, only the
> last one will work, because all the first token will be replaced by the second
> one in the session.
> A possible solution would be to use the following mechanism.
> When saveToken() is called, instead of saving the generated token (example:
> "t1") in the session using the key org.apache.struts.action.TOKEN, save it (or
> save an empty string or anything else) in the session using the token as a key
> (example: the session contains t1=""). At the same time, put the token in the
> request, using the org.apache.struts.action.TOKEN constant as a key (example:
> the request contains org.apache.struts.action.TOKEN="t1").
> When the form tag is used: check if the request attribute
> org.apache.struts.action.TOKEN exists. If it exists, get its value and generate
> the hidden field (example: <input type="hidden"
> name="org.apache.struts.action.TOKEN" value="t1"/>).
> When isTokenValid() is called: get the value of the request parameter
> org.apache.struts.action.TOKEN (example: "t1"), and check if there is a session
> attribute with this value (example: if the session contains an attribute named
> "t1", then the token is valid).
> This solution solves the multi-window problem, but introduces two new problems:
> 1. It could clutter the session with tokens if the user decides not to perform
> the action for which the token has been generated. 
> 2. It's not possible anymore to generate and save a token in a request, and to
> verify the token 3 or 4 requests later. This is especially important to allow
> validation without losing the token.
> To solve the second problem, the user would have to include the token parameter
> in each request after the generation of the token (using the form tag, or
> html:link with transaction="true"), and the request processor would have to
> extract the token parameter from the request and to put it in the request
> attributes at each request. It would also have to append the token parameter at
> the end of the URI for redirect forwards.
> What's your opinion? Am I asking too much?

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message