Java Mailing List Archive

Home » Home (12/2007) » Apache Tomcat »

Re: Race condition with values displayed across redirects

Christopher Schultz



Hash: SHA1


lightbulb432 wrote:
> Redirects are used so that users don't encounter the resubmit warning by the
> browser when they refresh the page, and so that page refreshes don't result
> in the POST being resent to the server.

I know people like to avoid those, but get real: refreshing a failed
POST ought to re-POST the data (that will fail again). You should really
only redirect on success.

> Passing the message in the request parameter (suggested by Mark) doesn't
> seem like the ideal solution, because (assuming a parameterized message
> based on submitted POST values) you'd need to pass the actual message in the
> query string. Not only would you have an ugly URL, but also someone could
> visit that page with their own message by changing the query string.

Oh, no! Someone could mount an XSS attack on themselves! :p

> Is there an ideal way to tell servlet S (one way I can think of is request
> attributes - anything else?) not to execute its filter when a redirect has
> been performed (i.e. to perform no further execution of its thread because
> the request has redirected away from it)? That way, am I correct to say you
> have a good solution - no race condition, no messages in query string, and
> you can use redirects as desired?

Um, <dispatcher>?

- -chris
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)

©2008 - Jax Systems, LLC, U.S.A.