Session state help

Hi, guys

In attempt to get more practice as possible, I created one web application and run into the following problem, that I hope one of you can help me solve it :


I created a web application that is heavily dependant of the steps involved in a particular session. For example :

|--Start-->Step 1: Entry point of the app, here I collect the basic info using a POST-->Step 2: Dependant of the info in the step 1, the user gets a new form and posts to the server-->Step 3: The server responds to the client based on the collected info.

Pretty simple and straightforward.

Now, I wanna make sure that the client cannot skip a step( by using the recorded history in the browser), so for example when he arrives at the application(Step 1) cannot skip that step by putting the URL of the second step. If that happens that client will get a malformed form and an HTTP 500 will be produced.

The session is created at step 1(when user arrives in the application) and is invalidated once he gets the results he requested(step 3).

Q1: How can I make sure that when a client request a particular resource(at step 2) that request is being made from step 1?

Cookies occurred to me at the first time(by setting some cokie flags an values when user completes one step), but cookie values can be faked and I don�t wanna mess the design by adding multiple cookie flags.

Also, the Referer HTTP Header comes to mind. I already have a filter that intercepts the request made to the crucial session components and check whether the request is from a client that has a valid session. I can make a check using �Referer� header and the getServletPath method and decide if the step N is invoked by step N-1. But, also, I know that the �Referer� header can be spoofed and that some browsers decide to filter it.

Making the links to the components not visible to the client would very much solve my problem in a clean way. For example, the client gets a same URL when he access any of the components will prevent the client for requesting a step prematurely. How can I do that? Is it possible for multiple component to have the same URL visible to the client(same url-patterns) ?!

Am I missing something obvious here ?!?

Guys, It would be great if someone tries to suggest a solution to this problem that has been eating me up for the last few hours.

Thank you in advance,
Ice
[ April 23, 2006: Message edited by: Bear Bibeault ]

Now, I wanna make sure that the client cannot skip a step( by using the recorded history in the browser), so for example when he arrives at the application(Step 1) cannot skip that step by putting the URL of the second step. If that happens that client will get a malformed form and an HTTP 500 will be produced.

|--Start-->Step 1: Entry point of the app, here I collect the basic info using a POST-->Step 2: Dependant of the info in the step 1, the user gets a new form and posts to the server-->Step 3: The server responds to the client based on the collected info.

So, when the user gets past Step 1, you will have some information available with you. Right? You can save this info in the session or in a database and when the user posts his data in Step 2, you can check if the data from Step 1 is available. If not, then the user has directly entered the link for Step 2. Same logic applies for Step 3.

Making the links to the components not visible to the client would very much solve my problem in a clean way

Assuming you a Controller servlet, you can specify the component to be accessed as a hidden field and use POST always. When a request comes in to your controller, based on the value of the hidden field, you can redirect the request to the responsible handler. That way the user will see only the Controller name in the URL. (But if the user is smart enough to spoof cookies and headers, he can spoof hidden fields as well ) I think the better way would be ensure that Step 1 data is available when in Step 2 and Step 2 data is available when in Step 3.

Satish,

thank you for your reply.

Yes, hidden fields would be also a solution, but the client will have access to my underlying mechanish easily( by pressing View Source of FF ). I never liked hidden form fields .

Of course, validating input at step 2 for valid inputs at step 1 . I always have a tendency for missing the most obvious sollutions! . Is it OK to put that checking code in the filter I already have?

That filter checks whether the client is in a valid session for ALL of my crucial session components ( by listening for all requests with /session/* pattern). I wanna do that to keep checking code out of my components, to keep it more clean with increased cohesiveness.

Once again,
Thank you

p.s., @Bear, what did you do to my post?

Originally posted by Ice Penov:
Is it OK to put that checking code in the filter I already have?

Yes, it is perfectly OK to do so . That's one reason for using filters. Getting rid of bad requests as early as possible.