File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes Session state help Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Session state help" Watch "Session state help" New topic
Author

Session state help

Ice Penov
Ranch Hand

Joined: Apr 19, 2005
Posts: 70
Hi, guys

In attempt to get more practice as possible, I created one web application and run into the following problem, that I hope one of you can help me solve it :


I created a web application that is heavily dependant of the steps involved in a particular session. For example :

|--Start-->Step 1: Entry point of the app, here I collect the basic info using a POST-->Step 2: Dependant of the info in the step 1, the user gets a new form and posts to the server-->Step 3: The server responds to the client based on the collected info.

Pretty simple and straightforward.

Now, I wanna make sure that the client cannot skip a step( by using the recorded history in the browser), so for example when he arrives at the application(Step 1) cannot skip that step by putting the URL of the second step. If that happens that client will get a malformed form and an HTTP 500 will be produced.

The session is created at step 1(when user arrives in the application) and is invalidated once he gets the results he requested(step 3).

Q1: How can I make sure that when a client request a particular resource(at step 2) that request is being made from step 1?

Cookies occurred to me at the first time(by setting some cokie flags an values when user completes one step), but cookie values can be faked and I don�t wanna mess the design by adding multiple cookie flags.

Also, the Referer HTTP Header comes to mind. I already have a filter that intercepts the request made to the crucial session components and check whether the request is from a client that has a valid session. I can make a check using �Referer� header and the getServletPath method and decide if the step N is invoked by step N-1. But, also, I know that the �Referer� header can be spoofed and that some browsers decide to filter it.

Making the links to the components not visible to the client would very much solve my problem in a clean way. For example, the client gets a same URL when he access any of the components will prevent the client for requesting a step prematurely. How can I do that? Is it possible for multiple component to have the same URL visible to the client(same url-patterns) ?!

Am I missing something obvious here ?!?

Guys, It would be great if someone tries to suggest a solution to this problem that has been eating me up for the last few hours.

Thank you in advance,
Ice
[ April 23, 2006: Message edited by: Bear Bibeault ]

In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move.
Satish Chilukuri
Ranch Hand

Joined: Jun 23, 2005
Posts: 266
Now, I wanna make sure that the client cannot skip a step( by using the recorded history in the browser), so for example when he arrives at the application(Step 1) cannot skip that step by putting the URL of the second step. If that happens that client will get a malformed form and an HTTP 500 will be produced.


|--Start-->Step 1: Entry point of the app, here I collect the basic info using a POST-->Step 2: Dependant of the info in the step 1, the user gets a new form and posts to the server-->Step 3: The server responds to the client based on the collected info.


So, when the user gets past Step 1, you will have some information available with you. Right? You can save this info in the session or in a database and when the user posts his data in Step 2, you can check if the data from Step 1 is available. If not, then the user has directly entered the link for Step 2. Same logic applies for Step 3.

Making the links to the components not visible to the client would very much solve my problem in a clean way


Assuming you a Controller servlet, you can specify the component to be accessed as a hidden field and use POST always. When a request comes in to your controller, based on the value of the hidden field, you can redirect the request to the responsible handler. That way the user will see only the Controller name in the URL. (But if the user is smart enough to spoof cookies and headers, he can spoof hidden fields as well ) I think the better way would be ensure that Step 1 data is available when in Step 2 and Step 2 data is available when in Step 3.
Ice Penov
Ranch Hand

Joined: Apr 19, 2005
Posts: 70
Satish,

thank you for your reply.

Yes, hidden fields would be also a solution, but the client will have access to my underlying mechanish easily( by pressing View Source of FF ). I never liked hidden form fields .

Of course, validating input at step 2 for valid inputs at step 1 . I always have a tendency for missing the most obvious sollutions! . Is it OK to put that checking code in the filter I already have?

That filter checks whether the client is in a valid session for ALL of my crucial session components ( by listening for all requests with /session/* pattern). I wanna do that to keep checking code out of my components, to keep it more clean with increased cohesiveness.

Once again,
Thank you

p.s., @Bear, what did you do to my post?
Satish Chilukuri
Ranch Hand

Joined: Jun 23, 2005
Posts: 266
Originally posted by Ice Penov:
Is it OK to put that checking code in the filter I already have?


Yes, it is perfectly OK to do so . That's one reason for using filters. Getting rid of bad requests as early as possible.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Session state help
 
Similar Threads
Chapter 6(Session Management) notes (HFSJ) for revision
Confusion about session destruction
Difference between Request scope and Session scope
How to mark container generated session cookie as secure without turning on SSL?
isNew can be tricky to trap us. (***info: have a look)