Geek Answers Handbook

SessionAttributes when opening new browser tabs

I have a Spring -mvc application, and in each controller I add a SessionAttributes form to save properties while saving, deleting, or executing another request for retrieval. The main problem arises when I try to open some link on another browser tab and try to send it. I tried this solution, but when I do the redirection (in the controller I have only 1 return for viewing, and the others - redirection), it creates a new conversation and cannot find the previous one.

I have another question about this triying to use Spring-session, It is here , but I don't know if this will work.

+8
java spring spring-mvc
source share
2 answers

Have you looked at Spring RedirectAttributes ? I have not used it myself, but it looks like it should do what you want. RedirectAttributes is commonly used for GET / redirect / POST templates, and at least one user seems to think that passed session attributes are bad practice, but they continue to mention that this is not the case. this seems to be the best solution. Anyway, the example shown in the documentation:

@RequestMapping(value = "/accounts", method = RequestMethod.POST) public String handle(Account account, BindingResult result, RedirectAttributes redirectAttrs) { if (result.hasErrors()) { return "accounts/new"; } // Save account ... redirectAttrs.addAttribute("id", account.getId()).addFlashAttribute("message", "Account created!"); return "redirect:/accounts/{id}"; }

will add a message attribute to RedirectModel, and if your controller redirects, then any method that handles redirection can access this data as follows:

 @RequestMapping(value = "/accounts", method = RequestMethod.POST) public String handleRedirect(Model model) { String message = (String) model.asMap().get("message"); return new ModelAndView(); }

Thus, adding session attributes should be the same. Another link here .

EDIT I was looking through Spring's documentation, and they also mention this @SessionAttributes annotation. From the documentation:

Level-level @SessionAttributes annotations declare session attributes used by a particular handler. This typically lists the names of model attributes or types of model attributes that should be transparently stored in the session or in some dialog store, which serve as support for the beans form between subsequent requests.

Could this be what you need?

And also a link to the flash attribute documentation .

+5
source share

This solution we came up with has nothing to do with Spring:

  • In each html form of your application, you will need to specify a hidden field. Name this field CSRF_TOKEN. This field must have a randomly generated value. This value is placed both in the session and in a hidden field. Session Attribute Name - SESSION_CSRF_TOKEN

  • When the form is submitted to the server, you check if the value in the session (SESSION_CSRF_TOKEN) is equal to the value sent in the HTTP request parameter CSRF_TOKEN. If not, you are showing some kind of error message and stop processing. If they are equal, continue.

If the user opens a new tab or duplicates the tab, the server will redisplay the page and a new CSRF_TOKEN will be created. Thus, the user will be able to submit the form only from the open tab, and not from the original.

This solution offers an added bonus: it protects against CSRF attacks .

+3
source share

More articles:


All Articles