Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Apache Tomcat »

Re: Race condition with values displayed across redirects

Christopher Schultz

2007-10-04

Replies:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

lb,

lightbulb432 wrote:
> Redirects are used so that users don't encounter the resubmit warning by the
> browser when they refresh the page, and so that page refreshes don't result
> in the POST being resent to the server.

I know people like to avoid those, but get real: refreshing a failed
POST ought to re-POST the data (that will fail again). You should really
only redirect on success.

> Passing the message in the request parameter (suggested by Mark) doesn't
> seem like the ideal solution, because (assuming a parameterized message
> based on submitted POST values) you'd need to pass the actual message in the
> query string. Not only would you have an ugly URL, but also someone could
> visit that page with their own message by changing the query string.

Oh, no! Someone could mount an XSS attack on themselves! :p

> Is there an ideal way to tell servlet S (one way I can think of is request
> attributes - anything else?) not to execute its filter when a redirect has
> been performed (i.e. to perform no further execution of its thread because
> the request has redirected away from it)? That way, am I correct to say you
> have a good solution - no race condition, no messages in query string, and
> you can use redirects as desired?

Um, <dispatcher>?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHBRd89CaO5/Lv0PARAqfdAKCphZJo0OBjQ1L+Lnhy7/FmndajuwCgnGPo
AgIrExTUevV/v6KyhqPUDgU=
=19YI
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)

©2008 junlu.com - Jax Systems, LLC, U.S.A.