struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert S. Sfeir" <>
Subject Re: How do you keep your session junk free?
Date Fri, 07 Mar 2003 19:24:19 GMT

On Friday, Mar 7, 2003, at 14:16 US/Eastern, Rick Reumann wrote:

> Very interesting, thanks for the information. Can this kind of behavior
> be achieved though simply by hitting a "browser" back button? I 
> wouldn't
> think that would be possible without using javascript to resubmit the
> page or to make sure a fresh page was always being looked at?

Sorry to drop in like that, but what is the problem with using Tokens?  
just doing a setToken() before you forward to a jsp page, then doing a 
isTokenValid() when the action is called, usually on page submit, is 
enough to stop anything.  Even if they click the back button then hit 
submit, won't work.  If they reload the page with the form, they get a 
new token since reloading calls the action which sent them to the page 
with the token in the first place.  So far it works for me, and in the 
isTokenValid() check I just forward to a 'you can't resubmit this page 
dorkie, or you'll give me headaches' page, and all is just fine... plus 
you can do it in different languages by putting the warning text in the file.  what more is needed here?

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message