Correctly using token mechanism

[Jonathan Asbell <ja...@i-2000.com>]

After studying how the token mechanism works, I understand the following:

1) The token is a unique identifier (value) which may be found in the Session and Request, which is used with certain form submissions.

2) It is created, if it does not already exist, by an Action object that wants to use one, and its value is subsequently put in the session.

3) Its value is taken from Session by and used in conjunction with an org.apache.struts.taglib.html.FormTag as a hiden form field value.

4) When the form is submitted, the token's value in the submitted form request is compared to the value of the token sitting in the Session.  If they are equal than the Action may be processed.

QUESTION 1:  In what situation should we use the token mechanism, as it seems that in the Struts example not all form actions need it.

QUESTION 2:  At what strategic point should the token be created for use, as it seems like one Action creates it and another Action looks for it and uses it?

Re: Correctly using token mechanism

["Craig R. McClanahan" <cr...@apache.org>]

It appears this never got answered, so better late than never ...

On Sun, 29 Apr 2001, Jonathan Asbell wrote:

> After studying how the token mechanism works, I understand the following:
> 
> 1) The token is a unique identifier (value) which may be found in the
> Session and Request, which is used with certain form submissions.
> 
> 2) It is created, if it does not already exist, by an Action object
> that wants to use one, and its value is subsequently put in the
> session.
> 
> 3) Its value is taken from Session by and used in conjunction with an
> org.apache.struts.taglib.html.FormTag as a hiden form field value.
> 
> 4) When the form is submitted, the token's value in the submitted form
> request is compared to the value of the token sitting in the Session.  
> If they are equal than the Action may be processed.
> 
> QUESTION 1:  In what situation should we use the token mechanism, as
> it seems that in the Struts example not all form actions need it.
> 

There's nothing stopping you from using it on every single request.  
However, the primary purpose is to catch the user that does things like
the following:
* Sumit a form
* Hit the back arrow
* Submit the form again

If a user who does this will cause undesireable consequences (like adding
two items to your shopping cart instead of one :-), then use the token.

> QUESTION 2:  At what strategic point should the token be created for
> use, as it seems like one Action creates it and another Action looks
> for it and uses it?
> 

The token has to be created "before" the page you are trying to protect
against multiple submits is displayed.  My general pattern is to have one
action that sets up the data for a form (editRegistration and
editSubscription in the example app) and a separate action that actually
processes the results (saveRegistration or saveSubscription).  In such a
case, I would set up the token in the "editXxx" action, and check it in
the "saveXxx" action.

Craig