tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bachler, Elisabeth \(Elisabeth\)" <ebach...@alcatel-lucent.com>
Subject RE: I would like a new session each time I start my application
Date Mon, 04 Jun 2007 14:10:57 GMT
Thank you very much. I will do as you suggest.
Elisabeth
 

-----Original Message-----
From: David Smith [mailto:dns4@cornell.edu] 
Sent: lunes, 04 de junio de 2007 15:58
To: Tomcat Users List
Subject: Re: I would like a new session each time I start my application

I'm suggesting you generate a token when rendering a form and store it
as a attribute of the session and as a hidden field in the form.  Every
time you get a form submission, compare the request parameter against
the session stored value and process the request.  Retrieve and remove
the attribute as soon as a form submission comes in to both flag your
jsp that there isn't already a token out there and help protect against
a double submit.  Some users just can't resist that itchy trigger finger
;-).

--David

Bachler, Elisabeth (Elisabeth) wrote:

>Thanks for your response.... Are you saying that everytime the 
>index.html is executed, I should generate a random number and send it 
>to the other files. Then compare it with the one I have in the stack ?
> 
>
>Elisabeth
>
>
>-----Original Message-----
>From: David Smith [mailto:dns4@cornell.edu]
>Sent: lunes, 04 de junio de 2007 14:10
>To: Tomcat Users List
>Subject: Re: I would like a new session each time I start my 
>application
>
>As an alternative, you could incorporate one time tokens.  Generate on 
>every page request, stored in both session and request parameters and 
>compare on every submission.  If they go out of sync (ie and old one 
>shows up) you know they spawned a new window.  In that case the old 
>window should be considered abandon.  Post a polite error message and 
>otherwise ignore the request.
>
>The tokens don't have to be complex -- a simple 16 bit random number 
>should be more than sufficient.  You could build it as a filter to help

>validate the request before it get's to your action code.
>
>--David
>
>Johnny Kewl wrote:
>
>  
>
>>Cant say I do understand...
>>Session ID's are almost untouchables... they used by too many things, 
>>authentication, SSO, load balancing, and I'm worried that when the 
>>user does something as simple as a right click and opens a new page, 
>>the app breaks.
>>
>>I'm not sure what you saying but I would rather go for something like 
>>change credits.
>>So, user does something that allows them one change... you store that 
>>in session ID, as an attribute, something like, 
>>setAttribute(ChangeCredit, 1); Now they can open 20 pages.... but on 
>>page 5 they make the change....
>>the attribute is set back to 0;
>>None of the other pages will allow it.... something like that.
>>
>>All I think that is happening is you trying to store state in the 
>>browser page, instead of the Session. ie you give them page, they 
>>change, you present them with page that is one state further on... ie 
>>thank you for change, cant change anymore, but user just has to open 
>>new page and they back to the beginning.
>>But if you store the state in the session.... that wont happen.
>>Irony is I think you actually need that Session.
>>
>>Good Luck
>>
>>----- Original Message ----- From: "Bachler, Elisabeth (Elisabeth)" 
>><ebachler@alcatel-lucent.com>
>>To: "Tomcat Users List" <users@tomcat.apache.org>
>>Sent: Monday, June 04, 2007 12:32 PM
>>Subject: RE: I would like a new session each time I start my 
>>application
>>
>>
>>The thing is that my application access a database. When the user 
>>wants to modify the db, I lock the access to this particular action 
>>(and let the user only view the data) using the sessionID.
>>Now, if the user is "bad"... He can log on once and get the modify 
>>action... Then he can open a new screen and modify things again...
>>Which is not what I need. Everytime a new screen is open to execute 
>>the application I need a different sessionID. Do you see what my 
>>problem is ? I don't know another way of doing it.
>>
>>
>>-----Original Message-----
>>From: Johnny Kewl [mailto:john@kewlstuff.co.za]
>>Sent: lunes, 04 de junio de 2007 11:07
>>To: Tomcat Users List
>>Subject: Re: I would like a new session each time I start my 
>>application
>>
>>Liz, please tell us what you actually doing and why you need this?
>>I think there is a conceptual problem...
>>
>>----- Original Message -----
>>From: "Bachler, Elisabeth (Elisabeth)" <ebachler@alcatel-lucent.com>
>>To: <users@tomcat.apache.org>
>>Sent: Friday, June 01, 2007 6:57 PM
>>Subject: I would like a new session each time I start my application
>>
>>
>>Hi,
>>I have an application that works under tomcat.
>>Each time I run my application I have the same sessionID. Is there a 
>>way to generate a differente sessionID each time I start my
>>    
>>
>application?
>  
>
>>Thanks
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>>e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>>e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>>e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>>e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>    
>>
>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, 
>e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>  
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message