By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,634 Members | 1,897 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,634 IT Pros & Developers. It's quick & easy.

refresh without request parameters?

P: n/a
Hi,

I have a problem : I have a form with some buttons. When one of these
buttons is pressed a new URL with some parameters to e.g. delete something
from a database. The problem is that when the user presses refresh that same
URL is fired with the parameters to delete again - this sometimes gives
strange behaviour. Is there any way that I can stip of parameters when
reloading a page such that only the webpage is deleted e.g.

http://myserver/mypage.jsp?delete=yes

becomes

http://myserver/mypage.jsp

Or should this be handled some other way??

Regards
Bo
Jul 23 '05 #1
Share this Question
Share on Google+
10 Replies


P: n/a
On 8/10/04 2:10 pm, Bo Rasmussen wrote:
Hi,

I have a problem : I have a form with some buttons. When one of these
buttons is pressed a new URL with some parameters to e.g. delete something
from a database. The problem is that when the user presses refresh that same
URL is fired with the parameters to delete again - this sometimes gives
strange behaviour. Is there any way that I can stip of parameters when
reloading a page such that only the webpage is deleted e.g.

http://myserver/mypage.jsp?delete=yes

becomes

http://myserver/mypage.jsp

Or should this be handled some other way??


Ask Google about cookies and session IDs.

--
Philip Ronan
ph***********@virgin.net
(Please remove the "z"s if replying by email)
Jul 23 '05 #2

P: n/a
Hi Philip,

Could you please sketch what a solution should look like - that would help
me a lot before I start looking into the large number of hits I get from
from google? Thanks in advance

Regards
Bo Rasmussen
"Philip Ronan" <ph***********@virgin.net> wrote in message
news:BD8C5160.2333F%ph***********@virgin.net...
On 8/10/04 2:10 pm, Bo Rasmussen wrote:
Hi,

I have a problem : I have a form with some buttons. When one of these
buttons is pressed a new URL with some parameters to e.g. delete something from a database. The problem is that when the user presses refresh that same URL is fired with the parameters to delete again - this sometimes gives
strange behaviour. Is there any way that I can stip of parameters when
reloading a page such that only the webpage is deleted e.g.

http://myserver/mypage.jsp?delete=yes

becomes

http://myserver/mypage.jsp

Or should this be handled some other way??


Ask Google about cookies and session IDs.

--
Philip Ronan
ph***********@virgin.net
(Please remove the "z"s if replying by email)

Jul 23 '05 #3

P: n/a
Ivo
"Bo Rasmussen" wrote
I have a problem : I have a form with some buttons. When one of these
buttons is pressed a new URL with some parameters to e.g. delete something
from a database. The problem is that when the user presses refresh that same URL is fired with the parameters to delete again - this sometimes gives
strange behaviour. Is there any way that I can stip of parameters when
reloading a page such that only the webpage is deleted e.g.

http://myserver/mypage.jsp?delete=yes

becomes

http://myserver/mypage.jsp

Or should this be handled some other way??


Absolutely. This is exactly why they invented GET and POST as two very
different forms submission methods. The GET method, with parameters attched
to an url, is fine when requesting information from a database, but to
modify that database one should always use POST. Spelled out url's are
bookmarked, show up in referrer logs, some spiders interpret GETted forms,
.... What if everytime the Googlebot crawled your page something was deleted
from your database?
HTH
--
Ivo
Jul 23 '05 #4

P: n/a
Hello Ivo,

That sure helps - thanks ;o)

I can see that stuff like

<a href=\"" + request.getRequestURI() + "?delete=yes\">

are shattered all over the place. Is there any way that I can quickly
replace these with stuff that uses POST.

I know I can insert buttons for this purpose - but isn't there a way to make
links that POST.

Regards
Bo Rasmussen

"Ivo" <no@thank.you> wrote in message
news:41***********************@news.wanadoo.nl...
"Bo Rasmussen" wrote
I have a problem : I have a form with some buttons. When one of these
buttons is pressed a new URL with some parameters to e.g. delete something from a database. The problem is that when the user presses refresh that same
URL is fired with the parameters to delete again - this sometimes gives
strange behaviour. Is there any way that I can stip of parameters when
reloading a page such that only the webpage is deleted e.g.

http://myserver/mypage.jsp?delete=yes

becomes

http://myserver/mypage.jsp

Or should this be handled some other way??


Absolutely. This is exactly why they invented GET and POST as two very
different forms submission methods. The GET method, with parameters

attched to an url, is fine when requesting information from a database, but to
modify that database one should always use POST. Spelled out url's are
bookmarked, show up in referrer logs, some spiders interpret GETted forms,
... What if everytime the Googlebot crawled your page something was deleted from your database?
HTH
--
Ivo

Jul 23 '05 #5

P: n/a
Bo Rasmussen wrote:
Hello Ivo,

That sure helps - thanks ;o)

I can see that stuff like

<a href=\"" + request.getRequestURI() + "?delete=yes\">

are shattered all over the place. Is there any way that I can quickly
replace these with stuff that uses POST.

I know I can insert buttons for this purpose - but isn't there a way to make
links that POST.

Regards
Bo Rasmussen

"Ivo" <no@thank.you> wrote in message
news:41***********************@news.wanadoo.nl...
"Bo Rasmussen" wrote

I have a problem : I have a form with some buttons. When one of these
buttons is pressed a new URL with some parameters to e.g. delete
something
from a database. The problem is that when the user presses refresh that


same
URL is fired with the parameters to delete again - this sometimes gives
strange behaviour. Is there any way that I can stip of parameters when
reloading a page such that only the webpage is deleted e.g.

http://myserver/mypage.jsp?delete=yes


Another option is to do a redirect in the mypage.jsp?delete=yes page,
for example to mypage.jsp or mypage.jsp?deleted=yes (mind the extra "d").

That way a reload won't delete a thing.

Edwin Martin

--
http://www.bitstorm.org/edwin/en/
Jul 23 '05 #6

P: n/a
Ivo
"Edwin Martin" wrote
Bo Rasmussen wrote:
"Ivo" wrote
"Bo Rasmussen" wrote
URL is fired with the parameters to delete again - this sometimes gives
strange behaviour. Is there any way that I can stip of parameters when
reloading a page such that only the webpage is deleted e.g.

http://myserver/mypage.jsp?delete=yes
Another option is to do a redirect in the mypage.jsp?delete=yes page,
for example to mypage.jsp or mypage.jsp?deleted=yes (mind the extra "d").

That way a reload won't delete a thing.


No no no. You 're missing the point. It is dangerous, not to say suicidal,
to have a serverside script waiting for such url's to 'update' the database.
You never know who (or what) might read those url's because there is no
way you can keep them for yourself.
I can see that stuff like

<a href=\"" + request.getRequestURI() + "?delete=yes\">

are shattered all over the place. Is there any way that I can quickly
replace these with stuff that uses POST.

I know I can insert buttons for this purpose - but isn't there a way to
make links that POST.


You can "document.forms['myformwithPOSTmethod'].submit()" onclick using
javascript. But I 'd see that as a temporary solution while you rewrite your
pages, as there really is no need to rely on javascript for this.
HTH
--
Ivo


Jul 23 '05 #7

P: n/a
Hmm,

Now I've changed everything such that all actions taken when the user press
a button results in a POST request. But the problem remains - when the user
refreshes the page the same request is fired again. The address line in IE
says

http://myserver/mypage.jsp

but it seems a POST request is fired with parameters

http://myserver/mypage.jsp?delete=yes

any help is appreciated

Regards
Bo


"Ivo" <no@thank.you> wrote in message
news:41***********************@news.wanadoo.nl...
"Bo Rasmussen" wrote
I have a problem : I have a form with some buttons. When one of these
buttons is pressed a new URL with some parameters to e.g. delete something from a database. The problem is that when the user presses refresh that same
URL is fired with the parameters to delete again - this sometimes gives
strange behaviour. Is there any way that I can stip of parameters when
reloading a page such that only the webpage is deleted e.g.

http://myserver/mypage.jsp?delete=yes

becomes

http://myserver/mypage.jsp

Or should this be handled some other way??


Absolutely. This is exactly why they invented GET and POST as two very
different forms submission methods. The GET method, with parameters

attched to an url, is fine when requesting information from a database, but to
modify that database one should always use POST. Spelled out url's are
bookmarked, show up in referrer logs, some spiders interpret GETted forms,
... What if everytime the Googlebot crawled your page something was deleted from your database?
HTH
--
Ivo

Jul 23 '05 #8

P: n/a
Now I have changed it so that requests are POST. But still the problem
remain! When the user refrehes that same POST request is fired again! The IE
address line says http://myserver/mypage.jsp but
http://myserver/mypage.jsp?delete=yes
is fired???

Regards
Bo

"Ivo" <no@thank.you> wrote in message
news:41***********************@news.wanadoo.nl...
"Bo Rasmussen" wrote
I have a problem : I have a form with some buttons. When one of these
buttons is pressed a new URL with some parameters to e.g. delete something from a database. The problem is that when the user presses refresh that same
URL is fired with the parameters to delete again - this sometimes gives
strange behaviour. Is there any way that I can stip of parameters when
reloading a page such that only the webpage is deleted e.g.

http://myserver/mypage.jsp?delete=yes

becomes

http://myserver/mypage.jsp

Or should this be handled some other way??


Absolutely. This is exactly why they invented GET and POST as two very
different forms submission methods. The GET method, with parameters

attched to an url, is fine when requesting information from a database, but to
modify that database one should always use POST. Spelled out url's are
bookmarked, show up in referrer logs, some spiders interpret GETted forms,
... What if everytime the Googlebot crawled your page something was deleted from your database?
HTH
--
Ivo

Jul 23 '05 #9

P: n/a
Hi Edwin Martin,

Thanks - that really did the job. Following a POST request (which may have
changed the database) I redirect to mypage.jsp.
Best regards
Bo Rasmussen
"Edwin Martin" <e.********@chello.nl> wrote in message
news:6F*****************@amsnews02.chello.com...
Bo Rasmussen wrote:
Hello Ivo,

That sure helps - thanks ;o)

I can see that stuff like

<a href=\"" + request.getRequestURI() + "?delete=yes\">

are shattered all over the place. Is there any way that I can quickly
replace these with stuff that uses POST.

I know I can insert buttons for this purpose - but isn't there a way to make links that POST.

Regards
Bo Rasmussen

"Ivo" <no@thank.you> wrote in message
news:41***********************@news.wanadoo.nl...
"Bo Rasmussen" wrote
I have a problem : I have a form with some buttons. When one of these
buttons is pressed a new URL with some parameters to e.g. delete


something
from a database. The problem is that when the user presses refresh that

same

URL is fired with the parameters to delete again - this sometimes gives
strange behaviour. Is there any way that I can stip of parameters when
reloading a page such that only the webpage is deleted e.g.

http://myserver/mypage.jsp?delete=yes


Another option is to do a redirect in the mypage.jsp?delete=yes page,
for example to mypage.jsp or mypage.jsp?deleted=yes (mind the extra "d").

That way a reload won't delete a thing.

Edwin Martin

--
http://www.bitstorm.org/edwin/en/

Jul 23 '05 #10

P: n/a
In addition to the information that the user wishes to delete a record, you
should have, at a minimum, a unique session id associated with that user's
session, correct?

So, pass that session id, compare it to the current session id, and also keep a
record in the session of all the records the user has requested be deleted.

So, your URL goes from:

mypage.asp?delete=1
to
mypage.asp?delete=1&record_key=12345&session_id=@@ @@1234567890@@@@

In your ASP you do something like (I don't work in ASP so I don't know how to
retrieve the current Session id, so this is JScript psuedo-code):

if (!Session['deleted']) {
Session['deleted'] = {};
}
if (!Session['deleted']['table_name']) {
Session['deleted']['table_name'] = {};
}
var recordKey = Request.Value('record_key');
if ((+Request.Value('delete') == 1) &&
Request.Value('session_id') == Session.ID &&
!Session['deleted']['table_name'][recordKey]) {

// delete the record
Session['deleted']['table_name'][recordKey] = true;
}

Now if someone tries to reload the same URL twice within the same session, it
fails because you've recorded a change in the table matching some unique value
within that table.

If someone tries to E-mail that URL to someone else, even if the other person
can actually log into your system and establish a session, it will have a
different session id than the session id on the URL and the delete will fail.

Someone might know how to find their current session id and change the URL to
reflect their session id, so you could add:

mypage.asp?delete=1&record_key=12345&session_id=@@ @@1234567890@@@@&ts=<currentTimeInMilliseconds>

Then in your page you could test that timestamp against the current time on the
server, if it's different by more than say, 5 minutes, don't allow the delete.

Again, someone might know what the additional parameter is for and attempt to
change it so they can still delete the record, so if you want additional
security, encode the session_id on the URL using RC4 and some passphrase known
only to your ASP code, that would make it much more difficult for the end user
to "spoof" the session id and hijack the session.

I've got a page where some important data is concatenated with strings of
various length containing random characters inserted at fixed points within the
important data. The resulting string is then RC4 encoded on the URL using
REMOTE_USER, a value from the server system clock with it's accuracy reduced to
only 30 minutes plus an additional "secret" phrase. This means that the URL
produced is valid only for that user, for that session and for a period of 30
minutes from when I generate the page containing the link.

Admittedly this is still not completely secure, but I have a fair amount of
confidence that the resulting RC4 string can not be successfully decoded and
used within the same timeframe as the link is valid for. And considering
REMOTE_USER is a result of server authentication, they'd have to have hacked the
person's account before they could even begin to reverse engineer the URL. As
well, if a user attempts to E-mail the URL to someone else, and that someone
else authenticates against the server under their own username, the URL will not
decode properly and it simply won't work.
In other words, the solution you are looking for is not a client-side JavaScript
solution. The solution you are looking for is to do something on the server that
completely prevents the same user from doing the same thing during the same
session. In addition, you should think of the situation another user
deliberately (or accidentally) obtains a valid URL (containing the right session
id, the right timestamp, etc) and prevent _them_ from doing that task as well.

Using POST is simply _not_ secure and not a safe replacement for GET. I can
write a C# application in a few minutes that would repeatedly POST:
http://yourserver/mypage.asp?delete=1&record=1 (then 2, 3, 4, 5, 6...). You
_must_ validate the incoming information against what you already know about the
user, what they have the ability to do and what they have already done.

Bo Rasmussen wrote:
Now I have changed it so that requests are POST. But still the problem
remain! When the user refrehes that same POST request is fired again! The IE
address line says http://myserver/mypage.jsp but
http://myserver/mypage.jsp?delete=yes
is fired???

Regards
Bo

"Ivo" <no@thank.you> wrote in message
news:41***********************@news.wanadoo.nl...
"Bo Rasmussen" wrote
I have a problem : I have a form with some buttons. When one of these
buttons is pressed a new URL with some parameters to e.g. delete something from a database. The problem is that when the user presses refresh that

same
URL is fired with the parameters to delete again - this sometimes gives
strange behaviour. Is there any way that I can stip of parameters when
reloading a page such that only the webpage is deleted e.g.

http://myserver/mypage.jsp?delete=yes

becomes

http://myserver/mypage.jsp

Or should this be handled some other way??


Absolutely. This is exactly why they invented GET and POST as two very
different forms submission methods. The GET method, with parameters

attched
to an url, is fine when requesting information from a database, but to
modify that database one should always use POST. Spelled out url's are
bookmarked, show up in referrer logs, some spiders interpret GETted forms,
... What if everytime the Googlebot crawled your page something was

deleted
from your database?
HTH
--
Ivo


--
Grant Wagner <gw*****@agricoreunited.com>
comp.lang.javascript FAQ - http://jibbering.com/faq

Jul 23 '05 #11

This discussion thread is closed

Replies have been disabled for this discussion.