> Agreed, but how do you check that the hidden ids that come back with the > submit are the ones that > you sent in the first place? It's not that hard to use something like > HttpClient to send malicious POST's
Yes, it's possible but not likely, in general users use multiple tabs, and they don't use HttpClients. If You would like to be protected from params manipulating, another mechanism would be needed. > I'm not trying to stop them using multiple tabs, I'm trying to ensure that > they don't walk over each other while they're doing it. Then if any POST need no session data they won't interrrupt each other, such POSTs are self-sufficient. > Looking at the code > for MessageStoreInteceptor, for example, I think (and I need to test this) > it looks like, in a multi-tab environment, you couldn't be sure which tab > would get any error messages. Tab A submits a form with errors, Tab B > submits another form, it looks like Tab B could potentially return with > TabA's error messages - which could be doubly confusing if the activities in > TabA and TabB were unrelated. Processing multiple tabs simultaneously seems > to me to be comparable to running multiple threads accessing an > unsynchronized common resource - the HttpSession. As far as i remember MessageStoreInteceptor is needed when after submit a redirect is called and You don't want to lose errors, and it will not function properly when user will submit many forms for the same object in one moment. As Dave said, check out Seam framework, there is also a thread (month or years ago) on this group where people where talking about adding such functionality to struts2. Best greetings, Paweł Wielgus. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
