Great ! Did Duane Fields (WDJSP) contact you ? He indicated that he had a
much
more comprehensive package that he had written for a client
that he would donate to struts.
Originally, I had the token tied in with the standard hidden field
name. I was going to rework the code into a better form, so let
me know if I can be of help on this, even if it to document !
-Rob
"Craig R. McClanahan" wrote:
> Robert Leland wrote:
>
> > > ActionServlet and added code to set a request attribute named
> > > "ActionServlet":
> > >
> > > private static final Boolean boolTrue = new Boolean(true);
> > > ...
> > > request.setAttribute("ActionServlet", boolTrue);
> > >
> >
> > I submitted some code back in about Oct 10 to struts-dev
> > that would prevent that senario. It also used a hidden
> > field in the form. It set a "token"
> > in both the 'session' and 'request'. The token was
> > an MD5 encoded 'single' use field. See
> > "Web Development with JavaServer Pages", Fields, Kolb (taglib.com)
> >
>
> I've been toying with this particular approach ... not only can it be
> used to solve the "back door" problem as stated, you can also use it to
> help deal with the dreaded "back button" problem where the user resubmits
> a form again.
>
> >
> > Even though the page can be accessed initially w/o the use of
> > the Action Servlet, when it is submitted it does go through
> > the Action Servlet. Since the token is good for only one
> > submit event the token could be checked at the action servelet level,
> > or more flexabily in the ActionForm itself. It takes about
> > 1 lines of code to perform the check.
> > if (!Token.IsValid()) {};
> >
> > --
> > Robert Leland [EMAIL PROTECTED]
> > 804 N. Kenmore Street +01-703-525-3580
> > Arlington VA 22201
>
> Craig McClanahan
--
Rob Leland [EMAIL PROTECTED] (+01-202-544-0533)
CGH Technologies
FAA ATA 200 Lab
