Paweł Wielgus wrote:
>
>
> Every form needs to have all necessary ids as hidden fields.
> That way, posting a form will always update appropriate object with
> appropriate data.
>
Agreed, but how do you check that the hidden ids that come back with the
submit are the ones that
you sent in the first place? It's not that hard to use something like
HttpClient to send malicious POST's
Paweł Wielgus wrote:
>
> And it's completly unimportant from which tab it will be submited.
> As for me, user can open 15 tabs and do 15 different things in them
> simultaneously.
> Imagine a list of objects with edit links,
> user opens these edit links in new tabs,
> and wants to edit and save one by one - why would You dissallow it?
> In the end HTTP is stateless.
>
I'm not trying to stop them using multiple tabs, I'm trying to ensure that
they don't walk over each other while they're doing it. Looking at the code
for MessageStoreInteceptor, for example, I think (and I need to test this)
it looks like, in a multi-tab environment, you couldn't be sure which tab
would get any error messages. Tab A submits a form with errors, Tab B
submits another form, it looks like Tab B could potentially return with
TabA's error messages - which could be doubly confusing if the activities in
TabA and TabB were unrelated. Processing multiple tabs simultaneously seems
to me to be comparable to running multiple threads accessing an
unsynchronized common resource - the HttpSession.
Regards
--
View this message in context:
http://old.nabble.com/Struts-2%2C-Session-Management-and-%22WorkFlow%22.-tp29726121p29727312.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
