Robert Leland wrote:
> > ActionServlet and added code to set a request attribute named
> > "ActionServlet":
> >
> > private static final Boolean boolTrue = new Boolean(true);
> > ...
> > request.setAttribute("ActionServlet", boolTrue);
> >
>
> I submitted some code back in about Oct 10 to struts-dev
> that would prevent that senario. It also used a hidden
> field in the form. It set a "token"
> in both the 'session' and 'request'. The token was
> an MD5 encoded 'single' use field. See
> "Web Development with JavaServer Pages", Fields, Kolb (taglib.com)
>
I've been toying with this particular approach ... not only can it be
used to solve the "back door" problem as stated, you can also use it to
help deal with the dreaded "back button" problem where the user resubmits
a form again.
>
> Even though the page can be accessed initially w/o the use of
> the Action Servlet, when it is submitted it does go through
> the Action Servlet. Since the token is good for only one
> submit event the token could be checked at the action servelet level,
> or more flexabily in the ActionForm itself. It takes about
> 1 lines of code to perform the check.
> if (!Token.IsValid()) {};
>
> --
> Robert Leland [EMAIL PROTECTED]
> 804 N. Kenmore Street +01-703-525-3580
> Arlington VA 22201
Craig McClanahan
