Thank you very much. I will do as you suggest. Elisabeth -----Original Message----- From: David Smith [mailto:[EMAIL PROTECTED] Sent: lunes, 04 de junio de 2007 15:58 To: Tomcat Users List Subject: Re: I would like a new session each time I start my application
I'm suggesting you generate a token when rendering a form and store it as a attribute of the session and as a hidden field in the form. Every time you get a form submission, compare the request parameter against the session stored value and process the request. Retrieve and remove the attribute as soon as a form submission comes in to both flag your jsp that there isn't already a token out there and help protect against a double submit. Some users just can't resist that itchy trigger finger ;-). --David Bachler, Elisabeth (Elisabeth) wrote: >Thanks for your response.... Are you saying that everytime the >index.html is executed, I should generate a random number and send it >to the other files. Then compare it with the one I have in the stack ? > > >Elisabeth > > >-----Original Message----- >From: David Smith [mailto:[EMAIL PROTECTED] >Sent: lunes, 04 de junio de 2007 14:10 >To: Tomcat Users List >Subject: Re: I would like a new session each time I start my >application > >As an alternative, you could incorporate one time tokens. Generate on >every page request, stored in both session and request parameters and >compare on every submission. If they go out of sync (ie and old one >shows up) you know they spawned a new window. In that case the old >window should be considered abandon. Post a polite error message and >otherwise ignore the request. > >The tokens don't have to be complex -- a simple 16 bit random number >should be more than sufficient. You could build it as a filter to help >validate the request before it get's to your action code. > >--David > >Johnny Kewl wrote: > > > >>Cant say I do understand... >>Session ID's are almost untouchables... they used by too many things, >>authentication, SSO, load balancing, and I'm worried that when the >>user does something as simple as a right click and opens a new page, >>the app breaks. >> >>I'm not sure what you saying but I would rather go for something like >>change credits. >>So, user does something that allows them one change... you store that >>in session ID, as an attribute, something like, >>setAttribute(ChangeCredit, 1); Now they can open 20 pages.... but on >>page 5 they make the change.... >>the attribute is set back to 0; >>None of the other pages will allow it.... something like that. >> >>All I think that is happening is you trying to store state in the >>browser page, instead of the Session. ie you give them page, they >>change, you present them with page that is one state further on... ie >>thank you for change, cant change anymore, but user just has to open >>new page and they back to the beginning. >>But if you store the state in the session.... that wont happen. >>Irony is I think you actually need that Session. >> >>Good Luck >> >>----- Original Message ----- From: "Bachler, Elisabeth (Elisabeth)" >><[EMAIL PROTECTED]> >>To: "Tomcat Users List" <users@tomcat.apache.org> >>Sent: Monday, June 04, 2007 12:32 PM >>Subject: RE: I would like a new session each time I start my >>application >> >> >>The thing is that my application access a database. When the user >>wants to modify the db, I lock the access to this particular action >>(and let the user only view the data) using the sessionID. >>Now, if the user is "bad"... He can log on once and get the modify >>action... Then he can open a new screen and modify things again... >>Which is not what I need. Everytime a new screen is open to execute >>the application I need a different sessionID. Do you see what my >>problem is ? I don't know another way of doing it. >> >> >>-----Original Message----- >>From: Johnny Kewl [mailto:[EMAIL PROTECTED] >>Sent: lunes, 04 de junio de 2007 11:07 >>To: Tomcat Users List >>Subject: Re: I would like a new session each time I start my >>application >> >>Liz, please tell us what you actually doing and why you need this? >>I think there is a conceptual problem... >> >>----- Original Message ----- >>From: "Bachler, Elisabeth (Elisabeth)" <[EMAIL PROTECTED]> >>To: <users@tomcat.apache.org> >>Sent: Friday, June 01, 2007 6:57 PM >>Subject: I would like a new session each time I start my application >> >> >>Hi, >>I have an application that works under tomcat. >>Each time I run my application I have the same sessionID. Is there a >>way to generate a differente sessionID each time I start my >> >> >application? > > >>Thanks >> >>--------------------------------------------------------------------- >>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, >>e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> >>--------------------------------------------------------------------- >>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, >>e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> >>--------------------------------------------------------------------- >>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, >>e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> >>--------------------------------------------------------------------- >>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, >>e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> > > >--------------------------------------------------------------------- >To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, >e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > >--------------------------------------------------------------------- >To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, >e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]