Race condition with values displayed across redirects

[lightbulb432 <ve...@hotmail.com>]

I have a question about whether there is a race condition with the following
technique for displaying messages across redirects.

If you submit a form with an invalid value on page P1 and the receiving
servlet S redirects to another page P2, you'd like page P2 to contain a
message saying "You entered an invalid value". You can only put the value in
the session (not the request, because it's a redirect, not a forward), with
session.setAttribute("message","You entered an invalid value").

In page P2, you'd display ${message}. But to ensure that the message doesn't
remain in the method upon every access to page P2, including when valid
information is submitted, you'd create a filter that applies to servlet S
with the following code:

chain.doFilter(request,response);
session.removeAttribute("message");

This method seems to work, but is there a race condition? My understanding
is that when a servlet does a redirect, the redirect occurs in a new thread
and the rest of the current servlet execution continues (including filters)
to completion in the current thread. Couldn't the filter on servlet S
complete execution (and remove the "message" attribute) before page P2
renders, thereby leaving ${message} empty?

Thanks.
-- 
View this message in context: http://www.nabble.com/Race-condition-with-values-displayed-across-redirects-tf4565759.html#a13032386
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Race condition with values displayed across redirects

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

lb,

lightbulb432 wrote:
> So would the following be a good way of approaching this using filter
> mappings (where the filter is as described in the OP)?
> - No filter on all servlets that can, upon success or failure, redirect to
> another page
> - Filters on all JSPs with a ${message} anywhere in their markup
> 
> In what ways could I use the dispatcher element to enhance the setup
> further?

Well, my recommendation would be to bag the redirect-through-session
stuff and just show errors as forwards (not redirects). Then you don't
have to worry about cleaning-up error messages from the session.

I believe your solution violates the principle of least surprise: if I
submit a form and it fails, a RELOAD ought to cause the same error. In
your scenario, the error disappears (which is surprising if you ask me).

Avoiding the redirect also allows you to redisplay the contents of the
form without playing games with the session.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHBSfq9CaO5/Lv0PARAjcWAJ4lzTuJ9kjnJg5eZ/2mweTrmv4b1QCeNYmq
j2Jf8K24k7Tdb7HajRJHUXs=
=STA0
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Race condition with values displayed across redirects

[lightbulb432 <ve...@hotmail.com>]

I know people like to avoid those, but get real: refreshing a failed
> POST ought to re-POST the data (that will fail again). You should really
> only redirect on success.

Agreed, it's a much bigger consideration on success than failure. But once
you figure out a good way of approaching the issue on success, I imagine
it'd be just as easily applicable on failure?


> Passing the message in the request parameter (suggested by Mark) doesn't
>> seem like the ideal solution, because (assuming a parameterized message
>> based on submitted POST values) you'd need to pass the actual message in
>> the
>> query string. Not only would you have an ugly URL, but also someone could
>> visit that page with their own message by changing the query string.
> 
> Oh, no! Someone could mount an XSS attack on themselves! :p

:) Good call - I guess the ugly URL would be the main reason here, if any.


> Is there an ideal way to tell servlet S (one way I can think of is request
>> attributes - anything else?) not to execute its filter when a redirect
>> has
>> been performed (i.e. to perform no further execution of its thread
>> because
>> the request has redirected away from it)? That way, am I correct to say
>> you
>> have a good solution - no race condition, no messages in query string,
>> and
>> you can use redirects as desired?
> 
> Um, <dispatcher>?

So would the following be a good way of approaching this using filter
mappings (where the filter is as described in the OP)?
- No filter on all servlets that can, upon success or failure, redirect to
another page
- Filters on all JSPs with a ${message} anywhere in their markup

In what ways could I use the dispatcher element to enhance the setup
further?

Thanks.
-- 
View this message in context: http://www.nabble.com/Race-condition-with-values-displayed-across-redirects-tf4565759.html#a13044760
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Race condition with values displayed across redirects

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

lb,

lightbulb432 wrote:
> Redirects are used so that users don't encounter the resubmit warning by the
> browser when they refresh the page, and so that page refreshes don't result
> in the POST being resent to the server.

I know people like to avoid those, but get real: refreshing a failed
POST ought to re-POST the data (that will fail again). You should really
only redirect on success.

> Passing the message in the request parameter (suggested by Mark) doesn't
> seem like the ideal solution, because (assuming a parameterized message
> based on submitted POST values) you'd need to pass the actual message in the
> query string. Not only would you have an ugly URL, but also someone could
> visit that page with their own message by changing the query string.

Oh, no! Someone could mount an XSS attack on themselves! :p

> Is there an ideal way to tell servlet S (one way I can think of is request
> attributes - anything else?) not to execute its filter when a redirect has
> been performed (i.e. to perform no further execution of its thread because
> the request has redirected away from it)? That way, am I correct to say you
> have a good solution - no race condition, no messages in query string, and
> you can use redirects as desired?

Um, <dispatcher>?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHBRd89CaO5/Lv0PARAqfdAKCphZJo0OBjQ1L+Lnhy7/FmndajuwCgnGPo
AgIrExTUevV/v6KyhqPUDgU=
=19YI
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Race condition with values displayed across redirects

[lightbulb432 <ve...@hotmail.com>]

Redirects are used so that users don't encounter the resubmit warning by the
browser when they refresh the page, and so that page refreshes don't result
in the POST being resent to the server. While it's a smaller consideration
when messages for invalid values are displayed, it's a bigger consideration
in cases where you're displaying a success message (and must do a redirect
for usability reasons - e.g. seeing a new URL as opposed to the servlet's
URL, no browser warnings on refresh) - then you would use the redirect.

Passing the message in the request parameter (suggested by Mark) doesn't
seem like the ideal solution, because (assuming a parameterized message
based on submitted POST values) you'd need to pass the actual message in the
query string. Not only would you have an ugly URL, but also someone could
visit that page with their own message by changing the query string.

Is there an ideal way to tell servlet S (one way I can think of is request
attributes - anything else?) not to execute its filter when a redirect has
been performed (i.e. to perform no further execution of its thread because
the request has redirected away from it)? That way, am I correct to say you
have a good solution - no race condition, no messages in query string, and
you can use redirects as desired?



Christopher Schultz-2 wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Mark,
> 
> Mark Thomas wrote:
>> lightbulb432 wrote:
>>> I have a question about whether there is a race condition with the
>>> following
>>> technique for displaying messages across redirects.
>> 
>> Yes there is.
>> 
>>> If you submit a form with an invalid value on page P1 and the receiving
>>> servlet S redirects to another page P2, you'd like page P2 to contain a
>>> message saying "You entered an invalid value". You can only put the
>>> value in
>>> the session (not the request, because it's a redirect, not a forward),
>>> with
>>> session.setAttribute("message","You entered an invalid value").
>> 
>> Why not pass the information to P2 using a request parameter on the
>> redirect?
> 
> Or, better yet, why use a redirect at all? Then you don't have to mess
> with the session. Most post/validate/error flows I've seen all execute
> within the same request. Don't respond with a redirect; just redisplay
> the input form with the error messages attached. Then you don't have to
> worry about cleaning-up the session.
> 
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFHBQtm9CaO5/Lv0PARAuSDAKChcVQ0+gSaJFR2AiS0mkUSx/DQkACfQTiz
> tuGGrkCrYACJNp9QH6r87Ro=
> =Kl2o
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Race-condition-with-values-displayed-across-redirects-tf4565759.html#a13043900
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Race condition with values displayed across redirects

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

Mark Thomas wrote:
> lightbulb432 wrote:
>> I have a question about whether there is a race condition with the following
>> technique for displaying messages across redirects.
> 
> Yes there is.
> 
>> If you submit a form with an invalid value on page P1 and the receiving
>> servlet S redirects to another page P2, you'd like page P2 to contain a
>> message saying "You entered an invalid value". You can only put the value in
>> the session (not the request, because it's a redirect, not a forward), with
>> session.setAttribute("message","You entered an invalid value").
> 
> Why not pass the information to P2 using a request parameter on the
> redirect?

Or, better yet, why use a redirect at all? Then you don't have to mess
with the session. Most post/validate/error flows I've seen all execute
within the same request. Don't respond with a redirect; just redisplay
the input form with the error messages attached. Then you don't have to
worry about cleaning-up the session.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHBQtm9CaO5/Lv0PARAuSDAKChcVQ0+gSaJFR2AiS0mkUSx/DQkACfQTiz
tuGGrkCrYACJNp9QH6r87Ro=
=Kl2o
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Race condition with values displayed across redirects

[Mark Thomas <ma...@apache.org>]

lightbulb432 wrote:
> I have a question about whether there is a race condition with the following
> technique for displaying messages across redirects.

Yes there is.

> If you submit a form with an invalid value on page P1 and the receiving
> servlet S redirects to another page P2, you'd like page P2 to contain a
> message saying "You entered an invalid value". You can only put the value in
> the session (not the request, because it's a redirect, not a forward), with
> session.setAttribute("message","You entered an invalid value").

Why not pass the information to P2 using a request parameter on the
redirect?

Mark

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org