You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Yan Hu <ya...@yahoo.com> on 2005/04/19 03:46:19 UTC
Identify users
Hi:
I have a question. I need to check if a user is the one who has permission to a certain action.
His role is stored in the database, for example user.isStudent. The whole student object is
stored in the session after he logs in successfully . From that point on, every time he sends a
request that invokes an action , I need to verify if this student is who he claims he is. I could
include a hidden field for example, his email in every page I send back to him and get this
property back to verify who he is. I was wondering if this approach is problematic since he could
manipulate the hidden field. Any better solutions to that? Thanks a lot!
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Identify users
Posted by "Michael J." <jm...@gmail.com>.
Struts and web browser already verified it for you. The whole point of
establishing a session is to correlate a browser to the server.
Browser already sends a cookie containing session ID to the server
along with each request. So as long as you can retrieve the user
object from the session, corresponding to incoming request, you know
that you are dealing with the right guy.
Search keyword: "session tracking".
On 4/18/05, Yan Hu <ya...@yahoo.com> wrote:
> I need to check if a user is the one who has permission to a certain action.
> His role is stored in the database, for example user.isStudent.
> The whole student object is stored in the session after he logs in successfully .
> From that point on, every time he sends a request that invokes an action ,
> I need to verify if this student is who he claims he is. I could
> include a hidden field for example, his email in every page I send back
> to him and get this property back to verify who he is. I was wondering
> if this approach is problematic since he could manipulate the hidden field.
> Any better solutions to that? Thanks a lot!
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org