Browsers were designed at the beginning just like VCRs - a one-way mechanism. (Remember Mosaic?) More like reading a book.
Essentially you are right that we have to fix this using server-side techniques. Perhaps one day there will be a new HTTP specification from W3C that says certain PUT operations should not go into the browser's history or repeated by the back-button. From a security point of view though, a browser is only a tool for doing HTTP operations, and hackers or crackers can use other tools to do exactly what they want. That is the open nature of the internet which no W3C spec. will control.
Adam
On 09/04/2003 09:16 AM Jing Zhou wrote:
Yes. With server-side tokens we solve the Back button's problem. But I see it as a *fix* after wrong actions from end users. It is now clear that this is a challenging problem to close the door at client-sides to possible wrong actions.
When a user watches movies using a VCR, if the user touches a wrong button by accident and the VCR gives a message like "You have to replay the move from the beginning" Would people consider the interface of the VCR good? Could the VCR be improved to ignore irrelevant button's actions?
I believe we will have answers.
Jing
----- Original Message ----- From: "Adam Hardy" <[EMAIL PROTECTED]>
To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
Sent: Wednesday, September 03, 2003 5:18 PM
Subject: Re: Is there a way to disable the browser's Back button without
sending an http request?
Hi Jing, surely it is possible to solve your state problems with server-side checks? Each page can set a control mechanism with a value in the user's session when the page is displayed. Any submission from any page in your wizard app is either allowed or disallowed by referencing the info stored in the session.
Adam
On 09/03/2003 08:28 PM Jing Zhou wrote:
We use the "POST" method for almost every web form in wizard like applications with the internal forwarding mechanism. If the browser's Back button could be disabled for the next page, all bad things that destroy application states will be gone. Token mechanism had been carefully examined. But I am wondering if we have a better solution than tokens...
I just discovered a way that allows me to nullify the Back button without sending http requests (enabled but doing nothing if clicked). But it works only on IE 5.0. I am looking for the reasons on IE 6.0 now.
Our experiments show using history.forward() or history.forward(1) would not work for me. The Back button behaves as expected.
Jing Netspread Carrier http://www.netspread.com
----- Original Message ----- From: "iguane183" <[EMAIL PROTECTED]>
To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
Sent: Wednesday, September 03, 2003 8:59 AM
Subject: RE: Is there a way to disable the browser's Back button without
sending an http request?
Maybe you could go from page to page with <form method="post" >. the browser will have to sent the request again (because "the page has expired") and then you can verify with a token what is happening.
Gabriel K.
At 21:44 03/09/2003 +0800, you wrote:
Not if your browser sends a new request for the previous page instead
of
using its cache, and that page crashes since the objects its expecting
in
various contexts arent there anymore...
-----Original Message----- From: Brian Lee [mailto:[EMAIL PROTECTED] Sent: Wednesday, 3 September 2003 21:37 To: [EMAIL PROTECTED] Subject: RE: Is there a way to disable the browser's Back button
without
sending an http request?
You can also include a line like this in each jsp: window.history.forward(1);
This will effectively negate the back button.
BAL
From: "Mark Galbreath" <[EMAIL PROTECTED]>>To: "Struts Users
Mailing
List" <[EMAIL PROTECTED]>, "Jing Zhou"
<[EMAIL PROTECTED]>
Subject: RE: Is there a way to disable the browser's Back button
without
sending an http request? Date: Wed, 3 Sep 2003 07:15:31 -0400
Set a token in request scope and use Struts logic tags to test is
presence
and value, then forward or not. Simple.
Mark
-----Original Message----- From: Jing Zhou [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 02, 2003 11:53 PM To: Struts Users Mailing List Subject: Is there a way to disable the browser's Back button without sending an http request?
It looks to me the answer is NO, although we could use Java script location.replace('url'). But the statement sends out an http request.
I would like to know if there is a different answer to it.
Jing Netspread Carrier http://www.netspread.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
_________________________________________________________________ MSN 8: Get 6 months for $9.95/month.
http://join.msn.com/?page=dept/dialup
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- struts 1.1 + tomcat 4.1.27 + java 1.4.2 Linux 2.4.20 RH9
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- struts 1.1 + tomcat 4.1.27 + java 1.4.2 Linux 2.4.20 RH9
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]