The user can make an order bypassing the order form, by entering the order parameters directly into the blablabla?command=order&trainId=3 browser blablabla?command=order&trainId=3 to avoid this I implement MVC using jsp, filters, command pattern.
Jan Bronnikau Jan Bronnikau
417 6 silver marks 18 bronze marks
|
2 answers
Remember one simple rule: requests that change any data should always be sent using the POST method.
Deleted
351 1 golden mark 5 silver marks 13 bronze marks
Ilya Pirogov Ilya Pirogov
10.4k 1 golden mark 14 silver marks 25 bronze marks
- This is yes, but no one will forbid the user to enter what he wants into the browser line and send it using the GET - Jan Bronnikau method
- 2So check in the controller what the POST method would be, otherwise return
400 Bad Request. - Ilya Pirogov - Thank you, along with the last comment I will accept the answer as correct. - Jan Bronnikau
|
There is such an option: write a hidden field with a random value in the form, and save it in the session. When receiving the form, compare this parameter with the saved in the session. If not, or did not match - Alarm !! )
For each form output, update this token in the form and in the session. Helps prevent CSRF attacks, and your ordering example, as a special case.
Sergiks Sergiks
28.2k 3 gold marks 39 silver marks 78 bronze marks
- Thanks, and can the user use the browser line to save something in the session? And maybe better not in session but in requestScope? - Jan Bronnikau
- and how to save random value to session from jsp ?? - Jan Bronnikau
|