• Post Reply Bookmark Topic Watch Topic
  • New Topic

How to solve the "continuity problem"?

 
Edward Chen
Ranch Hand
Posts: 798
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How to solve the "continuity problem"?

I searched internet, it said that use of a token to solve the problem. that is, when do some sensitive action, such as check-out-shopping-cart, in the begining, set a token to append to request and session. and then in the next step, check the token. after finishing , just delete token.

But, I did not see a simple example for this solution. anybody can give me more detail?

The more important is, it said page set this token as a hidden value. But , a hacker can easily check page source , they can find this hidden value!! we still don't solve the problem.

Anyway , how to solve it?

Thanks
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
what is the "continuity problem"?
 
Jeroen Wenting
Ranch Hand
Posts: 5093
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
that's what I wonder...

I think someone has never heard about sessions?
 
Edward Chen
Ranch Hand
Posts: 798
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by David O'Meara:
what is the "continuity problem"?


Web applications are stateless request/response nature. Reloading a page or ckicking Back , sometimes, will crash our application, especially in a mission-critical application.

for example, if we delete some records, we send a request to Controller-Servlet, then this servelt send back a delete form to user, then user fill in the form , send back to Controller-Servlet, do some business, finally send back a delete-sucessfully-message form to user. But problem is , if a hacker Reload or Back, it will repeats the process, which will cause lots of waste cost in backend.

Thanks
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65518
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"Continuity problem" isn't exactly the best term for this.

One solution:

1) At the time the form is rendered, a token value is generated (usually using the system time) and added to the form as a hidden param. It is also stored in the session.

2) When the form is submitted, the token value in the hidden param is compared to the token value in the session. If they don't match or if either value is missing, the submission fails. If they match, the session token is removed and the op proceeds as planned.

3) All of the above needs to be carefully synchronized.
 
Jeroen Wenting
Ranch Hand
Posts: 5093
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Essentially the HttpSession object will usually serve nicely as your token...
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!