tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Race condition with values displayed across redirects
Date Thu, 04 Oct 2007 16:40:28 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

lb,

lightbulb432 wrote:
> Redirects are used so that users don't encounter the resubmit warning by the
> browser when they refresh the page, and so that page refreshes don't result
> in the POST being resent to the server.

I know people like to avoid those, but get real: refreshing a failed
POST ought to re-POST the data (that will fail again). You should really
only redirect on success.

> Passing the message in the request parameter (suggested by Mark) doesn't
> seem like the ideal solution, because (assuming a parameterized message
> based on submitted POST values) you'd need to pass the actual message in the
> query string. Not only would you have an ugly URL, but also someone could
> visit that page with their own message by changing the query string.

Oh, no! Someone could mount an XSS attack on themselves! :p

> Is there an ideal way to tell servlet S (one way I can think of is request
> attributes - anything else?) not to execute its filter when a redirect has
> been performed (i.e. to perform no further execution of its thread because
> the request has redirected away from it)? That way, am I correct to say you
> have a good solution - no race condition, no messages in query string, and
> you can use redirects as desired?

Um, <dispatcher>?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHBRd89CaO5/Lv0PARAqfdAKCphZJo0OBjQ1L+Lnhy7/FmndajuwCgnGPo
AgIrExTUevV/v6KyhqPUDgU=
=19YI
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message