The isTokenValid() method compares the token value from request attribute(hidden field
stored in form) with the token stored in session. If it matches then the session is
valid.
I have one doubt in the following scenario.
<action path="/ATCreateConfirm"
type="com.test.ATCreateConfirmAction"
name="ATCreateForm"
scope="session"
input="ATCreate.jsp"
validate="true">
<forward name="Success" path="/ATCreate.do"/>
<forward name="failureLoad" path="/ATCreate.do"/>
<forward name="failureSubmit" path="/ATCreateCutOff.jsp"/>
</action>
In this scenario the first request will be ATCreateConfirm.do , in the
ATCreateConfirmAction class I will check the token and validate it if it is valid i
will generate a new token. But after success of this action it calls ATCreate.do , in
the case this request still contains the old transaction token value from the form .
If a am going to check the validity of token in the corresponding action class of
"ATCreate.do" , the token will be not valid because the previous action has already
updated it.
So my question is in this case where one mapping forwards to another ".do" how to
handle this token. Should I have to manually check for the following scenarios or
struts has any way to handle this type of scenario.
Any help will be great.
Thanks,
Subhendu
-----Original Message-----
From: Ted Husted [mailto:[EMAIL PROTECTED]]
Sent: Saturday, March 02, 2002 9:27 AM
To: Struts Users Mailing List
Subject: Re: Methods In Action Class
Before going to a page you want to protect, route to an Action first and
call SaveToken. This stores a token with a unique value in the user's
session.
If the page uses the html:form tag, it will automatically include a
hidden field with the token if it finds one in the session.
In the Action that receives the page, use isTokenValue to see if the
token in the session matches the one from the form. Call resetToken to
clear the token, so it can't be used again.
-- Ted Husted, Husted dot Com, Fairport NY US
-- Developing Java Web Applications with Struts
-- Tel: +1 585 737-3463
-- Web: http://husted.com/about/services
subhendukumar mohanty wrote:
>
> Hi
>
> I found the following methods in Action.java which I think may help to control the
>session ID. That means if the user submits the page and press the back button and
>submit the page again it will throw an error.
>
> generateToken(HttpServletRequest request)
> saveToken(HttpServletRequest request)
> isTokenValid(HttpServletRequest request)
>
> If anybody has used these methods let me know how to use these methods .
>
> Thanks,
> Subhendu
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
