Re: Form data refresh?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alaska, Alaska Winter wrote: | what happens if user hits the back button to catalogue. Perfectly valid | thing to do. If they submit an old (expired) token, then you simply ignore the request. You will probably want to notify them why the request was ignored. But in this case, there has been a new roundtrip to the server, giving you the opportunity to put the new (valid) token into the session. Another option (which I favor to avoid this type of problem) is to redirect the client after any operation that should not be accidentally repeatable. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAke9iOUACgkQ9CaO5/Lv0PC7IQCeMsKaw20J6UhzCTauQsCBg/t+ BO0AnAzHLGXVzgCJsz+qQ9EmWgA5X5nh =uSQx -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form data refresh?
i think I understand: -- generate unique token=xyz123 and store in the session -- generated catalogue content so that addToCart url's look like this in the html source: http://my.domain.com/addToCart.do?itemId=HB0019?token=xyz123 -- when users adds an item to the cart, check form data token against session token. -- if match, add to cart, generate new token and store in session. -- user clicks 'continue shopping' and new cataloge content is generate with urls containing new session token: http://my.domain.com/addToCart.do?itemId=HB0019?token=bgh456 what happens if user hits the back button to catalogue. Perfectly valid thing to do.
Re: Form data refresh?
Alaska Winter wrote: I would add a one time token to the request. Do you mean on the client side using javascript or something? Nope... just either a hidden field in the form or if you are building URLs w/ parameters, just add it in. Very simple stuff. 1. tomcat receive's request 2. if it's an action request like adding an item to a cart, check for the presence of the token and compare to the one on the session. 3. On match, change the token in the session so the response can make sure it get's in the response hidden field or urls. Failing a match, create a new one anyway and store it in the session for the response and forward to a safe non-action page like a browse page 4. Build response w/ either the hidden field pre-loaded with the new token or urls built w/ the new token. Nothing so complex as javascript involved. Just straight server-side management. --David - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form data refresh?
> > > I would add a one time token to the request. > Do you mean on the client side using javascript or something?
Re: Form data refresh?
Another suggestion: The HTML spec recommends using "POST" instead of "GET" for a form operation that changes something on the server. If a user refreshes the page the browser will post a warning before re-submitting the POST request. That may not be enough of a safeguard in your situation but it's still good practice and helps the user know what's going on. -- Len On Feb 19, 2008 9:51 PM, Alaska Winter <[EMAIL PROTECTED]> wrote: > Hi, > If a user adds an item to his/her shopping cart using form data like this: > http://my.domain.com/addToCart.do?itemId=HB0019 > How can I determine if it was generated from user clicking an add-to-cart > link vs. a browser refresh? > I don't want to increment the quantity in the cart for this item if the user > refreshes the browser but I do want to increment if the user clicks the add > button again for this item. > > > > Thanks > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form data refresh?
I would add a one time token to the request. Store it in the session and when it comes back, the request is good. Immediately generate a new token, process the request and send back the response. If an unrecognized value comes in, treat the request as a default page/catalog view. --David Alaska Winter wrote: Hi, If a user adds an item to his/her shopping cart using form data like this: http://my.domain.com/addToCart.do?itemId=HB0019 How can I determine if it was generated from user clicking an add-to-cart link vs. a browser refresh? I don't want to increment the quantity in the cart for this item if the user refreshes the browser but I do want to increment if the user clicks the add button again for this item. Thanks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
