-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Alaska,
Alaska Winter wrote:
| what happens if user hits the back button to catalogue. Perfectly valid
| thing to do.
If they submit an old (expired) token, then you simply ignore the
request. You will probably want to notify them why the request w
i think I understand:
-- generate unique token=xyz123 and store in the session
-- generated catalogue content so that addToCart url's look like this in the
html source:
http://my.domain.com/addToCart.do?itemId=HB0019?token=xyz123
-- when users adds an item to the cart, check form data token against
Alaska Winter wrote:
I would add a one time token to the request.
Do you mean on the client side using javascript or something?
Nope... just either a hidden field in the form or if you are building
URLs w/ parameters, just add it in. Very simple stuff.
1. tomcat receive's request
>
> > I would add a one time token to the request.
>
Do you mean on the client side using javascript or something?
Another suggestion: The HTML spec recommends using "POST" instead of
"GET" for a form operation that changes something on the server. If a
user refreshes the page the browser will post a warning before
re-submitting the POST request. That may not be enough of a safeguard
in your situation but it's
I would add a one time token to the request. Store it in the session
and when it comes back, the request is good. Immediately generate a new
token, process the request and send back the response. If an
unrecognized value comes in, treat the request as a default page/catalog
view.
--David
Just tested the same scenario on JRun and successfully get the data posted
from the dotnet application. What I am thinking in my mind is tomcat is
filtering the incoming requests and filtering the data which comes without
handle i.e without name value pair, so that it can put the name value pair
in
