tags:

views:

500

answers:

3
Q: 

where should we place HIDDEN variable in JSP

I need to use hidden variables in my JSP for session tracking. This is the code:

<input type="hidden" name="REQ_TOKEN" value="<%=session.getAttribute("SESN_TOKEN").toString()%>" />

I am using this to compare the request token with session token, so only when both are equal I will evaluate that request otherwise I will throw an error.

Now the problem is, when I place this code inside <form></form> tags, it is working fine. Unfortunately there are some JSPs in my application where we dont have <form> tag (I know that sounds weird!). Where can I place my code so that it will work?

Can't i use Hidden variables without <form> tag?

A: 

As far as I know you need to have the hidden field in a form tag for it to work correctly. Still looking it up, will repost. The sites so far that I have found say that they should be within the form.

EDIT* roseindia.net/jsp/jspsession/HiddenForm

Justin Gregoire  2010-03-18 14:11:23
Noted should however be that the articles at roseindia.net generally introduces bad coding practices up to an extraordinary high degree as compared to other sites/blogs. The site *may* contain good technical information, but the code examples should be taken over with an extremely high care. This is problematic when you're still green/new to all the stuff and thus don't know what's "good" and what's "bad".
BalusC  2010-03-18 14:35:02
@BalusC Thank you for the tip. I am still rather new myself to coding, and appreciate any tips and help I get. on that note, are there any blogs and or sites that you could recommend to me for proper coding procedures instead of a quick fix. I find it difficult to truly find sites that explain what to do. I usually code in php, html, the .net framework, java, mysql. i visit php.net, w3schools and other such sites, but have trouble finding blogs or forums that give more answers than ask questions.
Justin Gregoire  2010-03-18 16:15:42
A: 

If it is just for CSRF prevention, then you don't need it at all at formless pages. Simply because there's nothing to protect :) The point is to include it in each <form method="post">, not in each page.

That said, "session tracking" is an entirely different concept. The HttpSession already does exactly that behind the scenes with help of a cookie or URL rewriting. That's why I found your question initially confusing and posted a comment for clarification. You here just want "request tracking" with help of a request based token which you store in the session scope (and remove immediately once the request has passed) so that you can prevent CSRF.

Update: you may find this answer useful to learn more about what CSRF actually is.

BalusC  2010-03-18 14:12:39
Thanks for ur response BalusC,Dont we need to take care of CSRF issues on a webpage which dont have FORM tag?? In my case, i have JSPs which dont have FORM tags, they submits the page using the HYPERLINKS(window.open/window.location). i can still implement CSRF fix(comparing the REQ token to Session token) which i am doing right now, by adding the token to URL. But how safe is it to show(in URL) the REQ token to the user???
micheal  2010-03-19 12:33:59
Window.open and window.location only fire GET requests and they are harmless (at least, are supposed to be harmless), so there's no CSRF risk. But if they actually execute sensitive actions like deleting/updating something in database, then it was already the wrong choice to use window.open/window.location for it. At any way, it look like you still don't understand the key of CSRF. I suggest to read the posted link once again.
BalusC  2010-03-19 12:41:04
+1  A: 

It sounds like the hidden value you're describing is what is more commonly refered to as a nonce, which (when talking about web forms) is a value used to verify that a form is submitted only once, and by the same session that requested the form. See these notes on preventing cross-site request forgery.

Firstly, how are you submitting requests without a <form>? Is the user simply clicking a link? If so, you can append the nonce to the query string, but if you're using GET requests for something destructive that actually requires verification of a nonce, you're doing it wrong. These types of requests should only be made via POST, which implies generating a <form method="post">.

Secondly, no, you can't use <input type="hidden" /> outside of a form. A given form only submits its own values, that is, elements between <form> and </form>.

If you want your hidden value to be included in the data being posted back, your must include the hidden input within the form being submitted. If, as you say, you cannot include the needed <form> tags in your JSP files, you could dynamically make the request via Javascript, but this introduces a dependency on Javascript that you should avoid for something so simple and fundamental.

meagar  2010-03-18 14:13:33

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?