Alaska Winter wrote:
I would add a one time token to the request.
Do you mean on the client side using javascript or something?
Nope... just either a hidden field in the form or if you are building
URLs w/ parameters, just add it in. Very simple stuff.
1. tomcat receive's request
2. if it's an action request like adding an item to a cart, check for
the presence of the token and compare to the one on the session.
3. On match, change the token in the session so the response can make
sure it get's in the response hidden field or urls.
Failing a match, create a new one anyway and store it in the session
for the response and forward to a safe non-action page like a browse page
4. Build response w/ either the hidden field pre-loaded with the new
token or urls built w/ the new token.
Nothing so complex as javascript involved. Just straight server-side
management.
--David
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]