DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=30295>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=30295 Make tokens work in a multi-frame environment Summary: Make tokens work in a multi-frame environment Product: Struts Version: 1.1 Final Platform: All OS/Version: All Status: NEW Severity: Enhancement Priority: Other Component: Controller AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Tokens are useful to prevent multiple submissions in case of non-idempotent actions. The problem with the current implementation is that the same token key is used for all the actions of an application. This means that if I use several browser windows or tabs and initiate two different token-based actions, only the last one will work, because all the first token will be replaced by the second one in the session. A possible solution would be to use the following mechanism. When saveToken() is called, instead of saving the generated token (example: "t1") in the session using the key org.apache.struts.action.TOKEN, save it (or save an empty string or anything else) in the session using the token as a key (example: the session contains t1=""). At the same time, put the token in the request, using the org.apache.struts.action.TOKEN constant as a key (example: the request contains org.apache.struts.action.TOKEN="t1"). When the form tag is used: check if the request attribute org.apache.struts.action.TOKEN exists. If it exists, get its value and generate the hidden field (example: <input type="hidden" name="org.apache.struts.action.TOKEN" value="t1"/>). When isTokenValid() is called: get the value of the request parameter org.apache.struts.action.TOKEN (example: "t1"), and check if there is a session attribute with this value (example: if the session contains an attribute named "t1", then the token is valid). This solution solves the multi-window problem, but introduces two new problems: 1. It could clutter the session with tokens if the user decides not to perform the action for which the token has been generated. 2. It's not possible anymore to generate and save a token in a request, and to verify the token 3 or 4 requests later. This is especially important to allow validation without losing the token. To solve the second problem, the user would have to include the token parameter in each request after the generation of the token (using the form tag, or html:link with transaction="true"), and the request processor would have to extract the token parameter from the request and to put it in the request attributes at each request. It would also have to append the token parameter at the end of the URI for redirect forwards. What's your opinion? Am I asking too much? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
