Thank you for this excellent answer! It makes much
sense to me.
Tong
--- Jason Lea <[EMAIL PROTECTED]> wrote:
> Some forms don't need tokens
>
> Let me see... some places you use tokens are where
> you want to stop an
> accidental resubmission of a form. Maybe where you
> are adding items to
> a database, and if they press refresh it submits the
> same item again.
> But forms that perform a search of a database might
> not need tokens
> because you don't care if they request the same data
> again.
>
> Some people then go out of their way to make the 2
> things different. Eg
> use method="GET" for queries such as searching
> databases where there is
> no change, but method="POST" for
> adding/updating/deleting things in a
> database. In these cases you would say the POST
> actions should have
> tokens and GET actions don't need tokens.
>
> So my admin pages where I add/update/delete use
> tokens, others don't.
> Though I still try to think what would happen if
> someone refreshed a
> form submission - if it would cause a problem, or
> confuse a user (eg
> because an error message would be displayed), then I
> would trap the
> error with a token.
>
> t t wrote:
>
> > Hi, Jason,
> > Thank you so much for your answer! Would you mind
> to answer me another
> > question? Is token necessary for every form? In
> other words, Is that
> > OK if I don't use token for some form?
> > Thanks again.
> > Tong
> >
> > */Jason Lea <[EMAIL PROTECTED]>/* wrote:
> >
> > You need 2 actions. The first saves a token,
> then displays the form.
> > The 2nd action is called when the form is
> submitted, and the code
> > below
> > looks ok.
> >
> > I assume you either don't have an action to
> populate the form (eg the
> > user opens the .jsp form directly), or the
> action does not save
> > the token.
> >
> > When your action to process the form checks
> for a valid token, the
> > token
> > doesn't exist, so it is invalid and you return
> your error message.
> >
> >
> > t t wrote:
> >
> > >Hi, all,
> > >
> > >I have a Form in my application, when user
> click the
> > >"submit" button, an Action class will be
> called. There
> > >is some code like this in these class. The
> first time
> > >the user click the button, the error
> > >"error.transaction.token" was shown while the
> second
> > >time it's ok. Why?
> > >Thanks in advance!
> > >Tong
> > >
> > >if (!isTokenValid(request)) {
> > > errors.add(
> > > ActionMessages.GLOBAL_MESSAGE,
> > > new
> > >ActionMessage("error.transaction.token"));
> > > }
> > > |
> > > |
> > > |
> > >
> > >if (!errors.isEmpty()) {
> > > this.saveErrors(request, errors);
> > > this.saveToken(request);
> > > return (mapping.getInputForward());
> > > }
> > >
> > >
> >
> >__________________________________________________
> > >Do You Yahoo!?
> > >Tired of spam? Yahoo! Mail has the best spam
> protection around
> > >http://mail.yahoo.com
> > >
> >
>
>---------------------------------------------------------------------
> > >To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> > >For additional commands, e-mail:
> [EMAIL PROTECTED]
> > >
> > >
> > >
> > >
> >
> >
> > --
> > Jason Lea
> >
> >
> >
> >
>
---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> > For additional commands, e-mail:
> [EMAIL PROTECTED]
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> >
>
>
> --
> Jason Lea
>
>
>
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
