Bug #458
No second token validation
| Status: | Closed - End of life cycle | Start date: | September 08, 2010 | |
|---|---|---|---|---|
| Priority: | High | Due date: | September 20, 2010 | |
| Assignee: |  Cheang Danniell | % Done: | 100% | |
| Category: | - | Spent time: | 25.00 hours | |
| Target version: | - |
Description
Hi Daniell/Lee Yong,
Based on our previous discussion, when can you deliver the programs to rectify the following issue:
- no session/token validation between pages when the back/forward button is clicked
- session still alive after logoutHistory
#1
Updated by Cheang Danniell about 14 years ago
- Due date changed from September 14, 2010 to September 20, 2010
- Status changed from New - Begin Life Cycle to Development / Work In Progress
- % Done changed from 0 to 90
- Added struts token validation to avoid resubmission.
- Added secondary token validation to avoid page reloading due to refresh button.
- Added additional token delegation in order to parse through session attribute due to application design restriction.
- Added no caching and force reload for most browsers.
Note:
Due to design restriction for this application, tokens are forced to be parse through session attributes during delegation whereby it is needed to manually remove the action flag that denotes the action has been completed. Below will be the added methods:
public void saveActionCompleted (HttpServletRequest p_oRequest)
{
HttpSession m_oSession = p_oRequest.getSession (true);
m_oSession.setAttribute (ACTION_COMPLETED, ACTION_COMPLETED);
}public void tokenRedirection (HttpServletRequest p_oRequest)
{
p_oRequest.removeAttribute ("ACTION_COMPLETED");
p_oRequest.setAttribute ("REDIRECTION_TOKEN", p_oRequest.getSession (false).getAttribute ("PRIMARY_TOKEN"));
}check token algorithm has been amended to fit for the design:
public boolean checkToken (HttpServletRequest p_oRequest, ActionMapping p_oMapping, boolean p_bPopUp) throws AmxGenericException
{
String m_sActionClassCompleted;
String m_sRequestAttribute;
boolean m_bValidToken = false;
HttpSession m_oSession = p_oRequest.getSession (true);
try
{
m_sActionClassCompleted = (String) m_oSession.getAttribute (ACTION_COMPLETED);
m_sRequestAttribute = (String) p_oRequest.getAttribute (ACTION_COMPLETED);
logger.debug ("m_sActionClassCompleted : " + m_sActionClassCompleted);
logger.debug ("m_sRequestAttribute : " + m_sRequestAttribute);
logger.debug ("isRedirection : " + p_oRequest.getAttribute ("REDIRECTION_TOKEN"));
}
catch (Exception e)
{
logger.debug ("checkToken err : " + e);
m_sActionClassCompleted = null;
m_sRequestAttribute = null;
return false;
}if (!DataValidator.isEmptyString (m_sActionClassCompleted)
&& m_sActionClassCompleted.equals (ACTION_COMPLETED)
&& DataValidator.isEmptyString (m_sRequestAttribute))
{
m_bValidToken = this.isTokenValid (p_oRequest, p_oMapping, p_bPopUp);if(m_bValidToken)
{
this.saveToken (p_oRequest);
m_oSession.removeAttribute (ACTION_COMPLETED);
p_oRequest.setAttribute (ACTION_COMPLETED, ACTION_COMPLETED);
}
}
return m_bValidToken;
}#2
Updated by Tan Lee Yong almost 14 years ago
Provide status update
#3
Updated by Cheang Danniell almost 14 years ago
- Status changed from Development / Work In Progress to Pending Customer Feedback
- Pending feedback due to unavailability of test accounts.
- Debug by UAT testing.
email:
Hi Daniell,
As spoken earlier, can you help to prepare a file listing of all the affected program files for the following changes:
1. Session validation on ALL pages (ie customers will get an invalid session page if the 'Back' or 'Forward' button is clicked).
2. Clicking on logout button will invalidate the current session.
3. All URLs fixed and should be redirecting to the respective pages.
4. Streamline Application Resource properties file.
5. Standardize CSS layout in "Manage Your Account" pages.
Once I have the listing, I will prepare the files for UAT migration and get the users to test on it.
#4
Updated by Cheang Danniell over 13 years ago
- Status changed from Pending Customer Feedback to Closed - End of life cycle
- % Done changed from 90 to 100