tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Smith <d...@cornell.edu>
Subject Re: I would like a new session each time I start my application
Date Mon, 04 Jun 2007 13:58:29 GMT
I'm suggesting you generate a token when rendering a form and store it 
as a attribute of the session and as a hidden field in the form.  Every 
time you get a form submission, compare the request parameter against 
the session stored value and process the request.  Retrieve and remove 
the attribute as soon as a form submission comes in to both flag your 
jsp that there isn't already a token out there and help protect against 
a double submit.  Some users just can't resist that itchy trigger 
finger  ;-).

--David

Bachler, Elisabeth (Elisabeth) wrote:

>Thanks for your response.... Are you saying that everytime the
>index.html is executed, I should generate a random number and send it to
>the other files. Then compare it with the one I have in the stack ?
> 
>
>Elisabeth
>
>
>-----Original Message-----
>From: David Smith [mailto:dns4@cornell.edu] 
>Sent: lunes, 04 de junio de 2007 14:10
>To: Tomcat Users List
>Subject: Re: I would like a new session each time I start my application
>
>As an alternative, you could incorporate one time tokens.  Generate on
>every page request, stored in both session and request parameters and
>compare on every submission.  If they go out of sync (ie and old one
>shows up) you know they spawned a new window.  In that case the old
>window should be considered abandon.  Post a polite error message and
>otherwise ignore the request.
>
>The tokens don't have to be complex -- a simple 16 bit random number
>should be more than sufficient.  You could build it as a filter to help
>validate the request before it get's to your action code.
>
>--David
>
>Johnny Kewl wrote:
>
>  
>
>>Cant say I do understand...
>>Session ID's are almost untouchables... they used by too many things, 
>>authentication, SSO, load balancing, and I'm worried that when the 
>>user does something as simple as a right click and opens a new page, 
>>the app breaks.
>>
>>I'm not sure what you saying but I would rather go for something like 
>>change credits.
>>So, user does something that allows them one change... you store that 
>>in session ID, as an attribute, something like, 
>>setAttribute(ChangeCredit, 1); Now they can open 20 pages.... but on 
>>page 5 they make the change....
>>the attribute is set back to 0;
>>None of the other pages will allow it.... something like that.
>>
>>All I think that is happening is you trying to store state in the 
>>browser page, instead of the Session. ie you give them page, they 
>>change, you present them with page that is one state further on... ie 
>>thank you for change, cant change anymore, but user just has to open 
>>new page and they back to the beginning.
>>But if you store the state in the session.... that wont happen.
>>Irony is I think you actually need that Session.
>>
>>Good Luck
>>
>>----- Original Message ----- From: "Bachler, Elisabeth (Elisabeth)" 
>><ebachler@alcatel-lucent.com>
>>To: "Tomcat Users List" <users@tomcat.apache.org>
>>Sent: Monday, June 04, 2007 12:32 PM
>>Subject: RE: I would like a new session each time I start my 
>>application
>>
>>
>>The thing is that my application access a database. When the user 
>>wants to modify the db, I lock the access to this particular action 
>>(and let the user only view the data) using the sessionID.
>>Now, if the user is "bad"... He can log on once and get the modify 
>>action... Then he can open a new screen and modify things again... 
>>Which is not what I need. Everytime a new screen is open to execute 
>>the application I need a different sessionID. Do you see what my 
>>problem is ? I don't know another way of doing it.
>>
>>
>>-----Original Message-----
>>From: Johnny Kewl [mailto:john@kewlstuff.co.za]
>>Sent: lunes, 04 de junio de 2007 11:07
>>To: Tomcat Users List
>>Subject: Re: I would like a new session each time I start my 
>>application
>>
>>Liz, please tell us what you actually doing and why you need this?
>>I think there is a conceptual problem...
>>
>>----- Original Message -----
>>From: "Bachler, Elisabeth (Elisabeth)" <ebachler@alcatel-lucent.com>
>>To: <users@tomcat.apache.org>
>>Sent: Friday, June 01, 2007 6:57 PM
>>Subject: I would like a new session each time I start my application
>>
>>
>>Hi,
>>I have an application that works under tomcat.
>>Each time I run my application I have the same sessionID. Is there a 
>>way to generate a differente sessionID each time I start my
>>    
>>
>application?
>  
>
>>Thanks
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, 
>>e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, 
>>e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, 
>>e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, 
>>e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>    
>>
>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>  
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message