struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark" <>
Subject Re: Avoiding refresh stomping
Date Fri, 07 Mar 2003 14:05:28 GMT
I've resolved this type of problem by using a redirect instead.  This way, if they refresh,
they only refresh the current page (which should just render a view, not process any business

It also depends on where you have your business logic.  


*********** REPLY SEPARATOR  ***********

On 03/07/2003 at 12:25 AM Jeff Smith wrote:

>I worry about users. I've been one. I know how unpredictable we can be. :-)
>Take this case. I have a struts app and I want users to be able to log in. Pretty simple.
In fact, it is probably the most common scenario implemented in samples and tutorials. 
>Being a good host, I like to keep track of my guests. So when my users log in, I want
to time-stamp them so I know how long they've been connected.
>My action-forward for login success takes me to a pretty page that gives my users stats
about their last logon (in case somebody is using their account without their knowledge) and
a bunch of other stuff.
>So they tend to sit on that page and read it for a while.
>Then (and here's the unpredictable user part) for some reason, they hit the refresh button
on their browser. Well, since they got here as an action forward from the authentication sequence,
the refresh resubmits all their logon credentials, the system re-authenticates them and then
takes them, finally, back to the page they've been reading and refreshes it. And in that process,
my login timestamp is stomped with a newer one.
>Now, I have already figured out a few ways to short circuit the re-authentication (like,
don't authenticate a user who is already logged in.) But the question is, where else could
my users be inadvertently causing spurious recursions into potentially costly sequences by
ignorantly hitting the refresh button? I can imagine that some of my action sequences might
invoke some fairly expensive computations before displaying the results. But do I *REALLY*
want to recompute the whole thing when my users hit refresh? In the case of rendering dynamic
content, maybe I do. But for transactional stuff like logging in, or submitting a credit card
for authentication, I probably don't want to re-compute on refresh.
>Am I the only one who worries about stuff like this?
>I want my site to be bullet proof, idiot proof and all-kinds-of-other-things-proof. I'd
be curious to know how other people handle this situation.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message