?
Solved

Application Flow Problem with Session problem

Posted on 2003-03-07
18
Medium Priority
?
270 Views
Last Modified: 2010-04-01
I am not a english literature ppl and I am trying my best to explain it in English. Hope you all bare with me and patiently go throw with me.

I have almost 80% finish a system which consist of 4 jsp and couple of JavaBean. A.jsp, B.jsp, C.jsp, and D.jsp. The first 3 jsp is requesting user to key in their data and at the sametime checking for consistency along the flow of the page.

In A.jsp, I have few JavaBean decalred and for example I put one of them is like this,
<jsp:useBean id="beanA" scope="session" class="xxx.beanA" />

In B.jsp, since I am going to use the same bean again, so,
<jsp:useBean id="beanA" scope="session" class="xxx.beanA" />
again right?

And in C.jsp, once again I am going to use this bean,
<jsp:useBean id="beanA" scope="session" class="xxx.beanA" />.


Please observer the scope, I put "session". This is because from the book, it's identical in terms of workstation (browser). So, in order for me to pass all those property along the page, I have to do so. (Or else any other recommandation).

So, finally of course, down the road when user go along these 3 page, i will need to perform a final check on the D.jsp. In here, I need to check the consistency of all the datas that user keyed in in the previus JSP pages, A.jsp, B.jsp, C.jsp. I MANAGE to do this.

When user key in wrong or inconsistency datas, I can throw user out before they can go into D.jsp. Fantastic right?

OK, here is the problem.

First time, user managa to key in a correct and consistent data. And he APPROVED to enter to D.jsp to perform the updating part. After the D.jsp display onthe screen. This time, user want to click the "BACK" button on the browser. And manage to go back to C.jsp and enter a wrong and inconsistent entry that SHOULDN'T be approved by the system. But he manage to update the data. This is because the Bean that I declare to use is "session". If the user at the first time get approved, and as long as they didn't close the browser, he can do whatever things he can unless he click the refresh button after he clicked the back button.

So in other way, he got approved at the first time. And he click "back" button go back to the previous screen. Enter a wrong info and as long as he didn't click the refrech button in the page then straight click updat/submit button. He manage to do so.

This is my few solutions going to do (or maybe youcan suggest more). Please share with me the pro and con other than this.

1. I can disable the Back button in the browser using JavaScript to prevent user to go back.

2. DO NOT use the "scope" in <jsp:useBean..... />. And try to code my own session handling like    
<%     session.setAttribute("loggedin", username);   %>
<% session.getAttribute("loggedin")==null %> etc....

But if I am going to check 10 items ot datas, then I will have 10 Attribute session stored. Seems that is wasting resources.

3. Use a <jsp:forward> tag to forward the page to another pages. Meaning to say that when I display the D.jsp, I put a tag to direct the D.jsp back to A.jsp so that user can redo again start from beginning...

4. Redo again my coding in JavaBean. It's a programming logic problems. ( I have a feeling this is because of this).

Experts, any ideas?
0
Comment
Question by:pk55200
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 5
  • +1
18 Comments
 
LVL 3

Expert Comment

by:NetWize
ID: 8087996
Hi,

I'm not sure if I got you right, but maybe it would be a solution to invalidate the users session on page D?
That is: Once the data is queued und approved, the session is "killed" so if the user enters any page again(A, B, or C) the session will be "empty" and the check will fail.

It's done by

request.getSession().invalidate();


Or you use the <jsp:forward> and start a new session every time the user enters A?
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 8088845
1:  Make sure no page is cached.  And store a session var to indicate what step/page they are on.  check that session var on each page.

2:  If you have to check 10 vars btw pages, you have to store them in session.  you can use a hashtable or hashmap to store the vars in one object but in essence its the same.

3: if you are storing things in session, you can use response.sendRedirect(url); instead of forward.  IMHO, it would be cleaner.

4: Can you post your javabean code so we can  look at it?

CJ
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 8089385
>> Please observer the scope, I put "session".
what you have done is perfectly right.

>> When user key in wrong or inconsistency datas, I can throw user out before they can go into D.jsp. Fantastic right?
where did you put this logic? javascript in C.jsp or java code in D.jsp?

>> Enter a wrong info and as long as he didn't click the refrech button in the page then straight click updat/submit button. He manage to do so
Not quite get you here. let's say he go back to C.jsp, he change something in C.jsp, say changed amount to -1, when he click update/submit button, why your validation logic didn't kick in? this is related to my previous question.

>> 1. I can disable the Back button in the browser using JavaScript to prevent user to go back.

I don't think you can disable back button only, but you can open a new winodws without toolbar and menu, and you must override right click in your page.

the alternative to this is expire your page:
     response.setHeader("Pragma", "no-cache");
     response.setHeader("Cache-Control", "no-store");
     response.setDateHeader("Expires", 0);

>> 2. DO NOT use the "scope" in <jsp:useBean..... />. And try to code my own session handling like ......
It seems to me that what you are trying to do is essentially the same as what you have done.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Expert Comment

by:kennethxu
ID: 8089400
I don't know if you have already done so, but it is important that you validate everyting again in your D.jsp before you do any real update to database, if you find anything incorrect, you can use <jsp:forward> or response.sendRedirect(...) to send user the page which contains the wrong data.
also, make sure you only update database in D.jsp
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 8089420
for your question 4, it's hard to say before I can have a look at your code.
0
 

Author Comment

by:pk55200
ID: 8093375
Guys, Thank you for your time. Let me reply one by one.

NetWired,

Can I use "session.invalidate()" for the session that I created through the <jsp:useBean  >'s scope? Meaning to say that this
<jsp:useBean id=BeanA scope="session"..../>
BeanA.session.invalidate(); ??
Not sure either this is working? request.getSession.invalidate();


CJ,
Yes, this is the second time i hear saying that "un-cache" the page that you display. 2 Add-on question.
1. Can it be done if my LAN setting or my ISA server is enable the cache page everytime the user crowse a web page?
2. If yes, can share some code with me?
0
 

Author Comment

by:pk55200
ID: 8093403
Guys, Thank you for your time. Let me reply one by one.

NetWired,

Can I use "session.invalidate()" for the session that I created through the <jsp:useBean  >'s scope? Meaning to say that this
<jsp:useBean id=BeanA scope="session"..../>
BeanA.session.invalidate(); ??
Not sure either this is working? request.getSession.invalidate();


CJ,
Yes, this is the second time i hear saying that "un-cache" the page that you display. 2 Add-on question.
1. Can it be done if my LAN setting or my ISA server is enable the cache page everytime the user crowse a web page?
2. If yes, can share some code with me?

ken,
The chekcing of consistency is in the JavaBean. And in details, it's the bean attached at the D.jsp.

I am interest in your ideas. How can I create a new page and disable the menu and the toolbar? SHow some sample code please....

response.setHeader("Pragma", "no-cache");
    response.setHeader("Cache-Control", "no-store");
    response.setDateHeader("Expires", 0);

suppose to be added in my JSP Tag or HTML tag?

>>It seems to me that what you are trying to do is essentially the same as what you have done.
NO.. ken, not right. At least I have a better control but too much coding need to be code and it's look inconsistent. Let say I have 5 data need to check the consistenty. Then I must have 2 attribute stored differetnly in the session.

>>if you find anything incorrect, you can use <jsp:forward> or response.sendRedirect(...)
hm,.... sound instresting also. respond.sendRedirect(). But so sorry, this is the first time I hear this. Any good sample for reference. Is it in <% %> or HTML?

one add on.. is it this session  will eat up my memory or is it handle in the client side? I understand cookies is in  the client side and not sure either the session is in server or client. The didn't manage to find any informatiuon in www.javaWorld.com. Any URL for me...

Frankly speaking. I am more prefer the session invalidate function to use. But also disable the cache. But lack of sample programs......
 

0
 
LVL 3

Expert Comment

by:NetWize
ID: 8093711
The session lies completly in server memory, the client-cookie is only used to identify a single session. And don't worry too much about memory. 10 (String?)values in a session is abolutely no problem as long as you're not serving millions of clients at a time.

If you invalidate the session
<% request.getSession().invalidate() %>
all data in that session is lost and the next client-request creates a new session.

So if you'd want the server to "forget" everything the client entered before, that would be the way.

Disable caching won't work for the back-button, as that page is almost always stored in the browser-cache on wich the given directives have no effect.

You could design your HTML-Forms to use method="POST", wich makes going "back" harder for the browser as it'd have to send the same values again (ahich causes the user to be asked in most browsers)
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 8093875
Disabling caching can work for most scenarios (agreed not all).  Sometimes the browser will pull the page from the server even on the click of the back button if it knows that the page was not supposed to cached.

for disabling cache on IE needs specific headers (in a specific order) in fact it is recommended to put the in the beginning and end (to ensure it for some reason).  Here is what we use and it works:
Actually, the best thing that works in IE is to have the following:
<%
response.addHeader("Pragma" , "No-cache") ;
response.addHeader("Cache-Control, "no-cache") ;
response.addDateHeader("Expires", 0);  
%>

BOTH in the head of the of page and bottom of the page (I read this in a message board and it seems to work for me)

<html>
<head>
<%
response.addHeader("Pragma" , "No-cache") ;
response.addHeader("Cache-Control, "no-cache") ;
response.addDateHeader("Expires", 0);  
%>
</head>
<body>

....

</body>
<%
response.addHeader("Pragma" , "No-cache") ;
response.addHeader("Cache-Control, "no-cache") ;
response.addDateHeader("Expires", 0);  
%>

</html>

we use the above effectively in all of our account and cart pages.

read up:
http://support.microsoft.com/default.aspx?scid=KB;en-us;q222064
http://support.microsoft.com/support/kb/articles/Q234/2/47.ASP

HTH,
CJ
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 8093914
I don't know how to disable caching at network/lan level (if that is doable)

cookies store session id which is a unique identifier that retrieves session data for a client on the server side.  your session data is stored on the server not client side.  Your amount of session data is usually constrained by server hardware specs.

response.sendRedirect(url) is a good way to refresh.

<%
response.sendRedirect(url);
%>

about session storage some tips and info:
http://www.jspinsider.com/reference/jsp/jspsession.html
http://www.apl.jhu.edu/~hall/java/Servlet-Tutorial/Servlet-Tutorial-Session-Tracking.html
http://www.jspolympus.com/JSP/JSPSessions.html


CJ
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 8094095
Hi PK,

I believe the most important thing that you need to take care is, make sure you VALIDATE EVERYTHING in D.jsp right BEFORE update your database. only this can ensure no bad data goes into your database.

Other means, like no-cache, expires and/or disable toolbar, helps to prevent avarage user from making mistakes, but they cannot prevent power user from purposely creating bad data and pass the bad data to D.jsp.

So, first thing is make D.jsp looks like (psudo code)
=============================
<%
result = bean.validateEverthing();
if( result is good ) {
   bean.updateDatabase();
} else if ( result indicate data in A.jsp have problem ) {
   response.sendRedirect( "A.jsp" );
   return;
} else if ( result indicate data in B.jsp have problem ) {
   response.sendRedirect( "B.jsp" );
   return;
} else if ( result indicate data in C.jsp have problem ) {
   response.sendRedirect( "C.jsp" );
   return;
}
%>

content of D.jsp
==========================
once you implemented this logic, you are safe that no bad data will go into database. next step we can expire page or disable toolbar to make interface more presentable as you like.

if you can post your D.jsp, we can better help you.

Thanks.
0
 

Author Comment

by:pk55200
ID: 8100535
Invalid type expression.
     request.getSession().invalidate()

Guys... error thrown...
0
 

Author Comment

by:pk55200
ID: 8100540
oppss.... soli soli... my fault.... ignore the above comments.....

Ignore...
forget the ";" mark...
0
 

Author Comment

by:pk55200
ID: 8148532
ken, CJ, NetWire,

how can I put no-cache on my page? And how can I test it?
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 8148606
my comment above tell u how to.  To test it.. try outputting the current time on the page.  when you click refresh the latest time should show.  Not a cached page.

CJ
0
 
LVL 14

Accepted Solution

by:
kennethxu earned 2000 total points
ID: 8148607
>> how can I put no-cache on my page?
I have posted it in my first comment
Comment from kennethxu  03/07/2003 08:42AM PST

<%
    response.setHeader("Pragma", "no-cache");
    response.setHeader("Cache-Control", "no-store");
    response.setDateHeader("Expires", 0);
%>

>> And how can I test it?
say, put above code in A.jsp, you access to A.jsp, and navigate to some other page, then click back to A.jsp again. if above code is added to A.jsp, the A.jsp will be access agagin, so

1. you can see the there are 2 line in server's access log. one line is the back to A.jsp
2. if you put <%=new java.util.Date()%>, you can see it show you current date when you go back.
3. if you was post to A.jsp, browser will ask you if you want to re-send the request.
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 8148641
sorry CJ, i didn't see your post. please don't misunderstand :)
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 8148879
not to worry.. the posts were pretty much at the same time :-)

CJ
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question