Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Preventing Bookmarks

 
Dushy Inguva
Ranch Hand
Posts: 264
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I want to prevent the user from using bookmarked links to access pages deep in my application.

When a bookmarked link is accessed, my application might throw an error if that page expects to find a previously initialized session scope bean. Yes I am using JSF, but I think this post is more relevant in this forum.

Now, I am trying to write a filter to prevent such occurances. I have a request.getSession().isNew()

The problem is, when a user visits a bookmarked link, the server presents the login form (my filter is never invoked here), by the time the user enters username and password and logs in, the session is already created and the session.isNew() returns with a false.

Is there any way around this?

Thanks,
Dushy
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I do this by putting an object in session after a successful login.

Each page (using a filter) checks for the existance of that object.
If it's not there, then I forward the user to the login page.
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18094
48
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No. In fact, some of the most successful security exploits on the Internet have been accomplished because a person (or program) can throw any text it likes at your server.

If you have deep-content pages interesting enough to bookmark, you should welcome the user, not thwart him/her. You can't control people's browers anyway. The best you can do anyway is synthesize temporary URIs that become meaningless when used at a later time.

I understand that you may need some context, however. Where possible, I recommend using wrapper services so as to minimize the manual maintenance of this aspect. That is, use container-based authorization rather than coded-in login logic, filters to detect lack of defined resources and create them (or redirect to a page where they can be created) and so forth.

As a last resort, custom JSP tags/servlet frontend logic can be used, but the first time you forget to include one on a newly created page, you've blown a hole in your system.
 
Dan Novik
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can close the direct access to your "internal" pages via filters.
 
Rigel Kentaurus
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Dushy Inguva:
Hi,

I want to prevent the user from using bookmarked links to access pages deep in my application.

When a bookmarked link is accessed, my application might throw an error if that page expects to find a previously initialized session scope bean. Yes I am using JSF, but I think this post is more relevant in this forum.

Now, I am trying to write a filter to prevent such occurances. I have a request.getSession().isNew()

The problem is, when a user visits a bookmarked link, the server presents the login form (my filter is never invoked here), by the time the user enters username and password and logs in, the session is already created and the session.isNew() returns with a false.

Is there any way around this?

Thanks,
Dushy


Don't try to control your users.. you can't.

A better approach would be to check for that session object that you need, and if not found redirect the user to the main page, or to the page where that session object is created, then even if the user bookmarks page:
http://yourpage.com/productResults he would be redirected to, say, http://yourpage.com/index, and only after he did the valid navigation you have decided for your site he would be able to enter that second results page.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic