This is not a potential hazard because typically in all shopping cart applications cart items are stored in HttpSession and no other user can change the sesion of some user ( this security is provided by Java Servlet API)
Regards,
Puneet Agarwal
Tata Consultancy Services
Mailto: [EMAIL PROTECTED]
Website: http://www.tcs.com
| "McCormack, Chris"
<[EMAIL PROTECTED]>
07/16/2004 04:51 PM
|
|
If you use this method, I would advise that you cross check the itemid to be removed, with the user attempting to remove the item session identifier.
There is potential otherwise for a script kiddie to write a simple script that counts from 0-n and submit's each iteration to the remove action, in theory this would remove every item from every users basket if it run quick enough.
Either that or encrypt the itemkey that is written to the page.
Chris McCormack
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: 16 July 2004 12:12
To: Struts Users Mailing List
Subject: Re: Best practice request - dynamic link to redraw page
Jon,
The way it is managed is, while you paint the "delete" links in your HTML, you add a query string like this
?itemid=xyz
and then in your action class method obtain the value of this variable itemid ( obviously through form-bean)
and this is how single statement can do the work
Hope this answeres your query.
Regards,
Puneet Agarwal
Tata Consultancy Services
Mailto: [EMAIL PROTECTED]
Website: http://www.tcs.com
"Jon Barber" <[EMAIL PROTECTED]>
07/16/2004 04:22 PM
Please respond to
"Struts Users Mailing List" <[EMAIL PROTECTED]>
To
"Struts Users Mailing List" <[EMAIL PROTECTED]>
cc
Subject
Best practice request - dynamic link to redraw page
Dear All,
Trawled through the archive with no luck, but then I couldn't work out
the best search terms for this question, so.......
I'm writing a shopping basket app with the usual requirements, and using
tiles which has made things a lot less painful. However, I have this one
problem that I can't work out a nice way to solve.
On every page of the basket the contents of the basket are shown in a
panel at the bottom of the page, and against each product is a 'delete'
hyperlink. When the user clicks on this link the product should be
removed and the page refreshed to show the modified info.
My question is - how to code the logic to do the deletion of the product
in such a way that the refreshing of the page is handled in a nice way ?
I have the usual way of using an Action to populate the contexts to
render the page, and then an Action to process the users response. When
a product is removed I will have to delete the product & then redirect
the user back to the Action to populate the page all over again.
As far as I can see I have 2 options :
1. Have one Action that performs the product removal and that accepts a
URL as a parameter that then redirects the user using that URL. I will
have to place the necessary URL in the context so that when the page is
rendered the redirect URL is set correctly for wherever the user is.
Painful & not very nice - every populate Action will have to put the
correct URL for itself into the context.
2. Have a seperate Action for every single delete page so that each
instance knows where to send the user back to. Not much different from 1
& leads to a lot of Actions.
Any ideas ?
Am I missing the obvious ? For example, for 1 can I simply use the
present request URL as the URL to redirect the user to to redraw the
page ?
Jon.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
ForwardSourceID:NT000020A6
***********************************************
This e-mail and its attachments are confidential
and are intended for the above named recipient
only. If this has come to you in error, please
notify the sender immediately and delete this
e-mail from your system.
You must take no action based on this, nor must
you copy or disclose it or any part of its contents
to any person or organisation.
Statements and opinions contained in this email may
not necessarily represent those of Littlewoods.
Please note that e-mail communications may be monitored.
The registered office of Littlewoods Limited and its
subsidiaries is 100 Old Hall Street, Liverpool, L70 1AB.
Registered number of Littlewoods Limited is 262152.
************************************************
ForwardSourceID:NT000020C2
DISCLAIMER: The information contained in this message is intended only and solely for the addressed individual or entity indicated in this message and for the exclusive use of the said addressed individual or entity indicated in this message (or responsible for delivery of the message to such person) and may contain legally privileged and confidential information belonging to Tata Consultancy Services. It must not be printed, read, copied, disclosed, forwarded, distributed or used (in whatsoever manner) by any person other than the addressee. Unauthorized use, disclosure or copying is strictly prohibited and may constitute unlawful act and can possibly attract legal action, civil and/or criminal. The contents of this message need not necessarily reflect or endorse the views of Tata Consultancy Services on any subject matter.] Any action taken or omitted to be taken based on this message is entirely at your risk and neither the originator of this message nor Tata Consultancy Services takes any responsibility or liability towards the same. Opinions, conclusions and any other information contained in this message that do not relate to the official business of Tata Consultancy Services shall be understood as neither given nor endorsed by Tata Consultancy Services or any affiliate of Tata Consultancy Services. If you have received this message in error, you should destroy this message and may please notify the sender by e-mail. Thank you.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
