Re: [rife-users] LOGOUT / back & page reloading.
7 views
Skip to first unread message
Message has been deleted
Josh Hansen
Nov 18, 2009, 11:43:17 AM11/18/09
to rife-...@googlegroups.com
Hi Soufiane,
This is a standard issue related to the browser, rather than with RIFE.
The submitted form values are associated with the page being viewed, so
a refresh will usually result in the browser prompting the user about
whether to re-submit the form values.
As far as I know, RIFE's built-in authentication system does not support
getting around this.
If you were to write your own, or extend RIFE's, you could have a unique
token associated w/ each authentication. Each token would be stored for
a while, and resubmissions with a given token would simply re-display
the login page.
Josh
--
Joshua Hansen
Up Bear Enterprises
(541) 760-7685
SoufianeZI wrote:
> Hello Geert !
>
> I'm concerned about the example http://rifers.org/07_authentication/
> After a logout, when an user go back with the navigator's back button
> and refresh the page, he can resend a revalidation POST request and
> login again.
>
> How simply disallow this resend, and redirect him in the
> authentication page ?
> can you give me please, an example with redirection or remove the
> active continuations tree in this particular case of logout.
>
> Best regards,
> Soufiane
>
> --
>
> You received this message because you are subscribed to the Google Groups "rife-users" group.
> To post to this group, send email to rife-...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/rife-users?hl=.
>
>
>
This is a standard issue related to the browser, rather than with RIFE.
The submitted form values are associated with the page being viewed, so
a refresh will usually result in the browser prompting the user about
whether to re-submit the form values.
As far as I know, RIFE's built-in authentication system does not support
getting around this.
If you were to write your own, or extend RIFE's, you could have a unique
token associated w/ each authentication. Each token would be stored for
a while, and resubmissions with a given token would simply re-display
the login page.
Josh
--
Joshua Hansen
Up Bear Enterprises
(541) 760-7685
SoufianeZI wrote:
> Hello Geert !
>
> I'm concerned about the example http://rifers.org/07_authentication/
> After a logout, when an user go back with the navigator's back button
> and refresh the page, he can resend a revalidation POST request and
> login again.
>
> How simply disallow this resend, and redirect him in the
> authentication page ?
> can you give me please, an example with redirection or remove the
> active continuations tree in this particular case of logout.
>
> Best regards,
> Soufiane
>
> --
>
> You received this message because you are subscribed to the Google Groups "rife-users" group.
> To post to this group, send email to rife-...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/rife-users?hl=.
>
>
>
Message has been deleted
Geert Bevin
Nov 18, 2009, 4:18:07 PM11/18/09
to rife-...@googlegroups.com
Hi Soufiane,
A typical approach is to redirect after post. You could extend from a generic element that always redirects after authentication using the redirect() method. Another option is to declare a flowlink as being redirect and trigger an exit that uses that link after authentication. Another option is to actually work with continuations and as you suggest erase the entire continuation tree of the active user with "ContinuationContext.getActiveContext().removeContextTree();". You could also add an element inheritance layer that sets a global var or a cookie each time a GET happens and only allows a POST when the value is set. A final option I can think of is to simply always prevent continuations to be cloned with setCloneContinuations(false) in an element, the back button will then not have a valid context to work with.
As you can see, there are many options and I'm probably forgetting some of them. It all depends on your requirements.
Hope this helps,
Geert
On 18 Nov 2009, at 20:38, SoufianeZI wrote:
> Hi Joshua,
>
> Understood.
>
> I'll try to find a solution without write my own auth system.
> After that, i will check if i can simply extends RIFE's system.
>
> Thanks !
> Best regards,
> Soufiane
>
>
--
Geert Bevin
Terracotta - http://www.terracotta.org
Uwyn "Use what you need" - http://uwyn.com
RIFE Java application framework - http://rifers.org
Flytecase Band - http://flytecase.be
Music and words - http://gbevin.com
A typical approach is to redirect after post. You could extend from a generic element that always redirects after authentication using the redirect() method. Another option is to declare a flowlink as being redirect and trigger an exit that uses that link after authentication. Another option is to actually work with continuations and as you suggest erase the entire continuation tree of the active user with "ContinuationContext.getActiveContext().removeContextTree();". You could also add an element inheritance layer that sets a global var or a cookie each time a GET happens and only allows a POST when the value is set. A final option I can think of is to simply always prevent continuations to be cloned with setCloneContinuations(false) in an element, the back button will then not have a valid context to work with.
As you can see, there are many options and I'm probably forgetting some of them. It all depends on your requirements.
Hope this helps,
Geert
On 18 Nov 2009, at 20:38, SoufianeZI wrote:
> Hi Joshua,
>
> Understood.
>
> I'll try to find a solution without write my own auth system.
> After that, i will check if i can simply extends RIFE's system.
>
> Thanks !
> Best regards,
> Soufiane
>
> On 18 nov, 17:43, Josh Hansen <josh...@up-bear.net> wrote:
>> Hi Soufiane,
>>
>> This is a standard issue related to the browser, rather than with RIFE.
>> The submitted form values are associated with the page being viewed, so
>> a refresh will usually result in the browser prompting the user about
>> whether to re-submit the form values.
>>
>> As far as I know, RIFE's built-in authentication system does not support
>> getting around this.
>>
>> If you were to write your own, or extend RIFE's, you could have a unique
>> token associated w/ each authentication. Each token would be stored for
>> a while, and resubmissions with a given token would simply re-display
>> the login page.
>>
>> Josh
>> --
>> Joshua Hansen
>> Up Bear Enterprises
>> (541) 760-7685
>>
>> SoufianeZI wrote:
>>> Hello Geert !
>>
>>> I'm concerned about the examplehttp://rifers.org/07_authentication/
> On 18 nov, 17:43, Josh Hansen <josh...@up-bear.net> wrote:
>> Hi Soufiane,
>>
>> This is a standard issue related to the browser, rather than with RIFE.
>> The submitted form values are associated with the page being viewed, so
>> a refresh will usually result in the browser prompting the user about
>> whether to re-submit the form values.
>>
>> As far as I know, RIFE's built-in authentication system does not support
>> getting around this.
>>
>> If you were to write your own, or extend RIFE's, you could have a unique
>> token associated w/ each authentication. Each token would be stored for
>> a while, and resubmissions with a given token would simply re-display
>> the login page.
>>
>> Josh
>> --
>> Joshua Hansen
>> Up Bear Enterprises
>> (541) 760-7685
>>
>> SoufianeZI wrote:
>>> Hello Geert !
>>
>>> After a logout, when an user go back with the navigator's back button
>>> and refresh the page, he can resend a revalidation POST request and
>>> login again.
>>
>>> How simply disallow this resend, and redirect him in the
>>> authentication page ?
>>> can you give me please, an example with redirection or remove the
>>> active continuations tree in this particular case of logout.
>>
>>> Best regards,
>>> Soufiane
>>
>>> --
>>
>>> You received this message because you are subscribed to the Google Groups "rife-users" group.
>>> To post to this group, send email to rife-...@googlegroups.com.
>>> For more options, visit this group athttp://groups.google.com/group/rife-users?hl=.
>
> --
>
> You received this message because you are subscribed to the Google Groups "rife-users" group.
> To post to this group, send email to rife-...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/rife-users?hl=en.
>>> and refresh the page, he can resend a revalidation POST request and
>>> login again.
>>
>>> How simply disallow this resend, and redirect him in the
>>> authentication page ?
>>> can you give me please, an example with redirection or remove the
>>> active continuations tree in this particular case of logout.
>>
>>> Best regards,
>>> Soufiane
>>
>>> --
>>
>>> You received this message because you are subscribed to the Google Groups "rife-users" group.
>>> To post to this group, send email to rife-...@googlegroups.com.
>>> For more options, visit this group athttp://groups.google.com/group/rife-users?hl=.
>
> --
>
> You received this message because you are subscribed to the Google Groups "rife-users" group.
> To post to this group, send email to rife-...@googlegroups.com.
>
>
--
Geert Bevin
Terracotta - http://www.terracotta.org
Uwyn "Use what you need" - http://uwyn.com
RIFE Java application framework - http://rifers.org
Flytecase Band - http://flytecase.be
Music and words - http://gbevin.com
Reply all
Reply to author
Forward
0 new messages