Re: Identify users
Struts and web browser already verified it for you. The whole point of establishing a session is to correlate a browser to the server. Browser already sends a cookie containing session ID to the server along with each request. So as long as you can retrieve the user object from the session, corresponding to incoming request, you know that you are dealing with the right guy. Search keyword: "session tracking". On 4/18/05, Yan Hu <[EMAIL PROTECTED]> wrote: > I need to check if a user is the one who has permission to a certain action. > His role is stored in the database, for example user.isStudent. > The whole student object is stored in the session after he logs in > successfully . > From that point on, every time he sends a request that invokes an action , > I need to verify if this student is who he claims he is. I could > include a hidden field for example, his email in every page I send back > to him and get this property back to verify who he is. I was wondering > if this approach is problematic since he could manipulate the hidden field. > Any better solutions to that?Thanks a lot! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Identify users
But if the user is in the session, then we know that when he submits a request, or at least when that browser submits a request it is the user who is in the session. You could store roles for the user in the session also and then just use the session.. if the role is not present populate it from the DB and use the session thereafter. Al -Original Message- From: Yan Hu [mailto:[EMAIL PROTECTED] Sent: Monday, April 18, 2005 8:46 PM To: Struts Users Mailing List; Daniel Watrous Subject: Identify users Hi: I have a question.I need to check if a user is the one who has permission to a certain action. His role is stored in the database, for example user.isStudent. The whole student object is stored in the session after he logs in successfully . From that point on, every time he sends a request that invokes an action , I need to verify if this student is who he claims he is. I could include a hidden field for example, his email in every page I send back to him and get this property back to verify who he is. I was wondering if this approach is problematic since he could manipulate the hidden field. Any better solutions to that?Thanks a lot! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Identify users
Hi: I have a question.I need to check if a user is the one who has permission to a certain action. His role is stored in the database, for example user.isStudent. The whole student object is stored in the session after he logs in successfully . From that point on, every time he sends a request that invokes an action , I need to verify if this student is who he claims he is. I could include a hidden field for example, his email in every page I send back to him and get this property back to verify who he is. I was wondering if this approach is problematic since he could manipulate the hidden field. Any better solutions to that?Thanks a lot! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]