Hide Buttons From Servlets

Hi,
I am creating a game where a user needs to roll dice and if he rolls dice three times he then must choose one from one of the thirteen options.
My problem is once the user has rolled the buton three time how do I disable the button. I cannot use javascript as I am under assumption that user is always malicious so I cannot use Javascript.
I tried using Session but the problem is as initially session is set to null my "submit" button ends up being a text box.

I am able to count the number of time the dice is rolled but unable to disable it when count reaches three .
Please Provide snippet of sample code.

<input type="submit" name="roll" value="rolls Left ${Rolled}">
this will display out put like
rolls left 3
rolls left 2
rolles left 1

but I want the button to hide or disable when roll comes to 1

thanks in advance

Praveen Banthia wrote:I cannot use javascript as I am under assumption that user is always malicious so I cannot use Javascript.

Nonsense. You need to use JavaScript to react to client-side events.

Your "assumption" is like saying "I won't use a kitchen knife to chop my celery because someone might stab someone with a knife."

What's wrong with using <c:if> to only generate that <input> element when ${Rolled} is greater than 1? You haven't said anything at all to indicate that rolling dice is a client-side event -- and since you said you wouldn't use Javascript, that means it can't possibly be a client-side event.

Good point -- if the page is being repainted after every "move" as if it were still 1998, then everything would be done on the server.

But the notion that using JavaScript is somehow automatically unsafe is also a rather ridiculous throwback to 1998.

Hi I know what you guys saying but I am doing a project where my main concentration is security and my professor has asked us to assume that end user is malicious and
I think if end user is malicious any code visible by right click ->view source can be altered.

H I liked the solution of Pual clapman to use if can you please show me an example of how to use cif. The rolled is calculated on server side and result is used by JSP using session get attribute property

and other is there a way we can use javascript and be sure that that code is not visible to end user or can be verified by the server.

My aim is I need to make sure that the user rollls dice three times (yahztee) and choos a option of 13 possible option any ideas on how to do this from javascript securely are appreciated

Hi Praveen. I understand your issue with the javascript, in my opinion you should use javascript to disabled the button, as you said in the servlet you have the count of the rolled dice if someone malicious disabled javascript and submit again in your servlet you must have a routine that validate the if request its valid or if the rolled dice is greater than one, but the way you can use the solution of Paul with the if tag from jstl or just use EL, I give you and example.

<input type="submit" name="roll" value="rolls Left ${Rolled}" ${Rolled == 1 ? "disabled": "" } />

I hope this help you with your problem

Kind regards.
Cesar

Hi thanks Cease for example I will take your advice and I will consider it and implement saftey measure on servler as well as disable button from javascript.
Thanks to all who helped me