struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Leland <>
Subject Re: Request to reserve two hidden field names
Date Tue, 03 Oct 2000 15:57:30 GMT
> Just a question: why use hidden fields instead of having a class MenuForm
> derived class ActionForm, with two instance variables 'cmd' and 'token'?

Actually the hidden fields are in the MenuForm class as you suggest.
And uses struts to load and unload them

> With hidden fields, a malicious user could see their content and change the
> value of a field and resubmit a transaction.

I wasn't aware of that. However, the token would prevent some
malicious actions.

The Token is a hashed string encoded via MD5 or blowfish etc
             that contains the unique session ID and current system time
             or what evey else you wish to include.
             Altering its contents would be pointless. If it were altered
             then the command sent would be ignored.

The servlet knows what the current valid token is
and a token can be used once and only once.
Once a token has been submitted, the current valid token is destroyed.
Resubmitting it would result in the command being ignored
or redisplaying the current page or what ever action you wished to take.

> The only advantage I can see is
> if you need to change their value with JavaScript code on the browser side,
> without a round-up to the server.


> If you use your own class, you don't need any more to reserve field names.
> And you can add your menu behaviour without changing your JSP code: just
> change your inheritance link in the form bean associated with the page, et
> voilà!

As an alternative I have also used :
<struts:input type="submit" value="Button1"
    onMouseover="'button1' " >

Which doesn't use a hidden field for 'cmd'. This infact ties in better with
struts dispatching mechanism.

> Pierre Métras


View raw message