Subject: Re: Race condition with values displayed across redirects 2007-10-04 - By Christopher Schultz
Back
-- --BEGIN PGP SIGNED MESSAGE-- --
Hash: SHA1
lb,
lightbulb432 wrote:
> Redirects are used so that users don't encounter the resubmit warning by the
> browser when they refresh the page, and so that page refreshes don't result
> in the POST being resent to the server.
I know people like to avoid those, but get real: refreshing a failed
POST ought to re-POST the data (that will fail again). You should really
only redirect on success.
> Passing the message in the request parameter (suggested by Mark) doesn't
> seem like the ideal solution, because (assuming a parameterized message
> based on submitted POST values) you'd need to pass the actual message in the
> query string. Not only would you have an ugly URL, but also someone could
> visit that page with their own message by changing the query string.
Oh, no! Someone could mount an XSS attack on themselves! :p
> Is there an ideal way to tell servlet S (one way I can think of is request
> attributes - anything else?) not to execute its filter when a redirect has
> been performed (i.e. to perform no further execution of its thread because
> the request has redirected away from it)? That way, am I correct to say you
> have a good solution - no race condition, no messages in query string, and
> you can use redirects as desired?
Um, <dispatcher>?
- -chris
-- --BEGIN PGP SIGNATURE-- --
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHBRd89CaO5/Lv0PARAqfdAKCphZJo0OBjQ1L+Lnhy7/FmndajuwCgnGPo
AgIrExTUevV/v6KyhqPUDgU=
=19YI
-- --END PGP SIGNATURE-- --
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)
|
|
