 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / First Aid / January 2006Java/IE weirdness
I have a JSP script that validates inputted data. Upon successful input, it will 1) set a cookie 2) Do a data scrape to a URL that points to a servlet that performs server-side actions based upon query string data that is formed from your input 3) Redirect back to itself to ensure cookie availablity and further actions. If you run this script on Netscape or Firefox, all is well. If you run this script on IE, while [2] works, it seems to be performing [2] twice, because the actions are duplicated (the actions in [2] consist of placing info into flat files so you can see what is going on). Does IE have a problem with data scraping + server-side redirection (I am using response.sendRedirect()) that I don't know about? Thanx Phil >I have a JSP script that validates inputted data. Upon successful > input, it will [quoted text clipped - 15 lines] > Does IE have a problem with data scraping + server-side redirection (I > am using response.sendRedirect()) that I don't know about? When writing sever-client applications to be deployed on the Internet (of which web-applications-and-web-browsers are a special case), never depend on specific behaviour from the clients. They can completely break protocol at any point, and do as they please. The worst case is a malicious user manually sending carefully constructed packets to your server to try to cause mayhem. I'm not sure what high-level feature you're trying to implement here, but you should try to design your protocol so that if the client breaks protocol (by omitting steps, doing additional steps, or performing steps out of order), your server should be able to recover gracefully. - Oliver Considering it's a simple chatroom with a single form element (text field where you enter your username), which has both client and server-side validation (for size and character input, along with server-side checking for duplicate nickname and if the chatroom is "full" [maximum users at one time]), I thought I had web app security cornered in that respect. As far as client browser protocol behavior, it appears IE is not able to figure out that you data scrape and then redirect; it seems to want to data scrape => redirect => data scrape || data scrape => data scrape => redirect Again, this doesn't happen in any other tested browser (I haven't yet tried Opera), including Konqueror. Phil > >I have a JSP script that validates inputted data. Upon successful > > input, it will [quoted text clipped - 29 lines] > > - Oliver > Considering it's a simple chatroom with a single form element (text > field where you enter your username), which has both client and [quoted text clipped - 12 lines] > > Phil I'm not sure what the parallel lines mean in the above notation, but isn't the datascraping occuring at the JSP level, and outside of Internet Explorer's control? The problem might be with IE, but I suspect it has more to do with the HTTP protocol than anything about data scraping. - Oliver > I have a JSP script that validates inputted data. Upon successful > input, it will [quoted text clipped - 18 lines] > Thanx > Phil So I can masquerade as anyone else on your server easily? How do you prevent infinite redirections? I would recommend setting up a simple proxy on your machine and sending IE through it to see what requests it is making. There is a Java one named charles. http://www.xk72.com/charles/http-proxy.html This will enable you to see whether IE makes 2 requests or just one strange one, and what responses your app are sending that may trigger it. Perhaps doing one trace with IE and one with FF will help you to see what is going on. By the way, the proxy is a little sticky to use, but it is possible to do simple things like this with out too much trouble. James Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.