> ActionServlet and added code to set a request attribute named
> "ActionServlet":
>
> private static final Boolean boolTrue = new Boolean(true);
> ...
> request.setAttribute("ActionServlet", boolTrue);
>
I submitted some code back in about Oct 10 to struts-dev
that would prevent that senario. It also used a hidden
field in the form. It set a "token"
in both the 'session' and 'request'. The token was
an MD5 encoded 'single' use field. See
"Web Development with JavaServer Pages", Fields, Kolb (taglib.com)
Even though the page can be accessed initially w/o the use of
the Action Servlet, when it is submitted it does go through
the Action Servlet. Since the token is good for only one
submit event the token could be checked at the action servelet level,
or more flexabily in the ActionForm itself. It takes about
1 lines of code to perform the check.
if (!Token.IsValid()) {};
--
Robert Leland [EMAIL PROTECTED]
804 N. Kenmore Street +01-703-525-3580
Arlington VA 22201
