I am using Struts and Java. The problem is that I have a page with some results. The user can click an item and edit it. I want after editing the user to be able to return back to the results. Back isn't broken but if he submits the form for update he would have to click back 2 times I think and may have problem.
I have tried header("Referer") but this doesn't work in Internet Explorer.
I am trying to implement a solution. Any ideas? My idea is to save url and move around an ID of that url. And when I want to return back get the url from ID. Storing it in the session is not a solution because the user may have opened multiple windows.
Passing a URL as a request parameter may create security issues. Powerlord is right that the USER can alter the referrer header. This will allow the user to visit a page, something they can do anyway. More seriously, following a URL that is in a request parameter allows an attacker to send the user to a page of the attacker's choice, with the appearance that this page is recommended by your application. So the answer from BalusC can enable Cross-Site Request Forgery.
The best way is to pass it around as a request parameter. On the edit link or button, just pass the current URL along as request parameter. Here's an example with a link:
edit
Or if it's a button to submit a form, then rather pass it as hidden input value in the same form:
<input type="hidden" name="from" value="${pageContext.request.requestURI}">
In the page with the edit form, transfer it to the subsequent request as hidden input value of the form:
<input type="hidden" name="from" value="${param.from}">
In the action method, just redirect to that URL after finishing the action. Since I don't do Struts, I can't give a detailed Struts example, but here is how you would do it with "plain vanilla" Servlet, you must be able to port it to a Struts approach:
response.sendRedirect(request.getParameter("from"));
Related
I am in bit of a delicate situation here. In my organization we design stock management systems and it is a web application based on JSP pages and servlets which handles them.
I have been asked to fix a specific problem. We have a JSP page with an HTML form table where there are stock details. When user enters the details manually and submit the form, stock details updated in the database and it works fine.
Problem is this : When the user press the browser's back button, user can come to the previous page where he submitted the details. And when the user submit this, data is saved once more to the database.I need to prevent this behaviour.(Something likeclear and reload the page.)
Things I did so far : clear the browser cache.Code works fine but not the expected result.
Unfortunately I cannot share the code due to company regulations. What I need is a help to prevent this behaviour or a workaround.
Thanks in advance..
You can use a javascript function with the help of a hidden attribute to reload the web page. When the user press the back button,based on the value of the hidden attribute, page will be reloaded without loading the cached page.
Your approach of clearing cache is correct. Coupled with that, you can use this approach.
<input type="hidden" id="refreshed" value="no">
<script type="text/javascript">
onload=function(){
var e=document.getElementById("refreshed");
if(e.value=="no")e.value="yes";
else{e.value="no";location.reload();}
}
</script>
One drawback of this approach is if your clients' browsers have disabled JS, this will not work.Otherwise it should work.
When the user press the browser's back button, user can come to the
previous page where he submitted the details. And when the user submit
this, data is saved once more to the database.
According to how you described it, that is based on a doGet request. Which means every time you visit that URL, it will send the request with whatever parameters were added.
As someone already mentioned, if you switch the form to a post method and switch the Servlet to a doPost, you won't have this issue anymore.
Alternatively you can circumvent this with a javascript solution. Here are some options:
You can check if the user clicked the back button, disable form if true.
Another way is by storing a cookie which you check on page load, if it exists you can disable the form.
You can use this code also
$(document).ready(function() {
function disableBack() { window.history.forward() }
window.onload = disableBack();
window.onpageshow = function(evt) { if (evt.persisted) disableBack() }
});
You must use a Post-Redirect-Get pattern: https://en.m.wikipedia.org/wiki/Post/Redirect/Get.
Actually, every use of standard HTML forms with method="post" should be implemented with that pattern. It doesn't have any use for AJAX-posted forms, which actually could be another solution but will require more work and probably some architectural changes.
I had this same problem while building a django web app, and my solution was to not allow caching of the html that contains the form. In your request handler, do not allow the browser to cache the page. This will force the browser to get the page fresh from the document.
Which, in this case, you can just verify in your request handler if the requested form has already been submitted.
My code for reference:
from django.views.decorators.cache import never_cache
#never_cache
def GetForm(request, pk):
# Logic #
if (IsFormCompleted(pk)):
# Handle request #
Here is a solution.
give a random id in a hidden field on the form. Then on the server side, if the user resubmit, check if the random id already on the database. If so, redirect user.
After submitting a form, calling an action and redirecting to show the jsp, the final url of the browser will show the action with the submit parameters as follows. Is it possible to hide the parameters ?
http://localhost:8080/myproject/login?username=aaa&password=123
Use "redirect" result type to send the redirect to the browser. The parameters should still be in your session/action context.
The comment by #sanbhat is right - use a POST request so that the parameters do not appear in the URL. Using browser dev tools or similar it's still possible to inspect the request and it's post data, there's nothing you can do about that.
In the final redirect to the result JSP, (which presumably shows what the user wrote on the form), then the fields can be populated by saving the results in session scope, so no need to have request parameters on the redirect URL.
i guess you are making a GET call here..
in the submit action make sure you specify method="post" so that password wont appear as parameter
You are using get method. Change it to post method. Example is:
form method="post" name="form name" action="Your action page"
use post method in the form , default is get so u always see the parameters in the url.
<form action="some.jsp" method="post">
I want to login into a website. I need to identify the url to login. The view source shows post method as follows.
<form id="signIn" onsubmit="return false;" action="/f1/logon" method="post">
I see that there is no javascript that validates the url.
When i use the below url directly on a browser,
https://www.abc.com/f1/logon
I get a blank page. When I use below,
https://www.abc.com/logon
I dont see the repsonse of the loggedin page. It shows the response of the signin page though. How do i identify the correct url to autologin. downloaded soem toold like fiddler but no help. any inputs?
Invoking a URL in a browser sends a GET request. This form, however, is configured to send a POST request (look at the method attribute), so it makes sense that you are not seeing anything in your browser.
It's strange that the onsubmit attribute returns false. This prevents the form from being submitted at all. Take a look at the "login" button. There may be some Javascript code there which does the form submission.
Fidller is a good tool, you can start capture job and then you perform a login. Find which request contain your login and password.
I want to forward from one page to another but with the same I want url to be changed. Suppose user is here http://mywebsite/register and when he completes his registration process then I want this in his address bar http://mywebsite/home
Is it possible without using sendRedirect , I mean by the way server side forwarding only? or any other way around to this problem?
You could just let the HTML form submit to that URL directly.
<form action="http://mywebsite/home">
But this makes no sense. You'll also run into problems when redisplaying the same form with validation messages in case of validation failure. You'd need to redirect back to the original page if you intend to keep the original URL and you'd need to fiddle with storing messages in the session scope instead of the request scope because a redirect basically creates a brand new request. You'll without a redirect also run in "double submit" problem whenever the enduser presses F5 after submitting the form.
Just let the servlet redirect the successful POST request to the desired URL. That's the canonical approach. Even more, this is a recommend "design pattern": the POST-Redirect-GET pattern.
AFAIK there's no way around a redirect since the browser has to update the url at some point. And if you'd update the url after the forwarded to page has been loaded it would issue a refresh and the page would be loaded again (which might result in an endless loop).
Why don't you want to use a redirect in that case?
I've got several Portlets with some links in them, all I want is to hide the URL params. So I thought it would be easy to include some jQuery code, which builds a form for each and binds a click event on it to submit the form.
This does not work. The action request isn't hit for some reason.
Does anyone have a different suggestion for hiding URL parameters?
description of link
<form name="mydataform" id="mydataform" action="/actionurlonyoursite" method="post">
<input type="hidden" name="myparam" value="" />
</form>
<script type="text/javascript">
function handleThisLink()
{
// access the hidden element in which you wish to pass the value of the parameter
dojo.byId("myparam").value = "myvalue";
// the value might be precomputed (while generating this page) or
// might need to be computed based on other data in the page
// submit the form by HTTP POST method to the URL which will handle it.
document.forms['mydataform'].submit();
// also possible to actually send a background AJAX request and publish
// the response to some part of the current page, thus avoiding full
// page refresh
// I used dojo.byId() as a shortcut to access the input element
// this is based on dojo toolkit.
}
</script>
Links fire GET requests by default. You cannot fire HTTP GET requests without passing parameters through the URL. The only what can do this is HTTP POST. All parameters are then included in the request body. But you would need to replace all links by forms with buttons and you need to modify the server side code so that it listens on POST requests instead of GET requests to take actions accordingly.
Javascript can also fire GET requests just in "the background" with help of XMLHttpRequest, but when a client has JS disabled, your application will either break or still display the parameters. Also the client has full control over JS code, so it does not necessarily "hide" the parameters from the client, but only from the browser address bar.
You can using XMLHttpRequest to hide URL parameter or using session variable of servlet container.
Maybe you can using encode url to show complex data to end user.
good luck