tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Price <>
Subject Re: INSECURE to rely on sendRedirect (??)
Date Fri, 24 Jan 2003 18:19:00 GMT

Tim Moore wrote:

>>*obligated* to respect the redirect.  This means that relying on a 
>>redirect to protect secure data might be a mistake.  In other server 
>>side languages (Perl, PHP), you can call exit immediately 
>>after setting 
>>the header to ensure that the sensitive data is not sent from 
>>the server 
>>to the user agent in the event that the user agent does not 
>>respect the 
>>redirect.  However, as Paul Yunusov on this list pointed out 
>>to me, you 
>>cannot simply exit a servlet, it is not the same as a PHP or Perl 
>>script.  (The original message is appended to this one.)
> No, but you can return from a servlet's request method :-)


>>There could be a flaw in my logic, or I could simply be stating the 
>>obvious and everyone knew this.  If either of those is the 
>>case, please 
>>point out my fallacy and I apologize for wasting everyone's time. :)
> What if you return right after calling sendRedirect?

That works!  Well, I haven't tested it very thoroughly, obviously, but 
that seems to do the trick!  I didn't even think of that, to be honest 
with you.  Since doFilter() returns void anyway, it simply terminates 
the filter!  (Of course I will have to make sure that any logging code I 
wish to use happens before the return statement, but that's beside the 

Thanks a lot Tim.


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message