Assume you have page A which is the "home" page for the web app. Assume there is a second page B which contains a form. After successfully processing the form the user is directed back to page A. If you need to display a success message for the previous action (the successful form submission), what is the best way to get that message for display?
I've narrowed it down to this:
Pass a message key to page A. Page A will then use the key to get the message from somewhere.
Pass the message to page A. However this seems to open the site up for XSS and what not.
When processing the form store the message in session scope prior to redirecting to page A. Then page A can retrieve & remove the message from session and display it on the screen.
Am I missing something? What is the preferred way to accomplish this task?
-
I usually use method 3. If a page wants to display a message after redirect, it sets a session variable. Then code, that is in my base class (executed for every page requests), checks to see if there is a message to display, displays it and empties the message session variable.
-
I would never use a session for such a task. It's irresponsible and destroys the flow of logic. Instead, you could have a pre-determined list of errors and just pass the error code through the query parameters. If you really need to send new, custom data every time I would suggest sending it through a GET or a POST preferably.
oneBelizean : How is it irresponsible? And how does it destroy logic anymore than retrieving the message with the key passed in on the url??Joe Philllips : If the user goes to that page directly the message will still be there most likely. I'm not sure what this page is so it's hard to say what problems you will encounter.oneBelizean : The only way the message would still be there is if the user didn't complete the redirect to the page. Assuming the web server handles distributing session state properly among multiple webservers (if they exist) -
totally agreeing with d03boy here for all the same reasons. Storing data specific to a certain view in the session breaks badly the moment your users start to open multiple windows.
Personally, I always use method 1 you've described here.
oneBelizean : Following each successful submission the user is redirected, so having multiple windows open wouldn't necessarily be a problem. However managing the session across multiple servers may be more of an issue. -
I agree with d03boy and pilif : method 3 is not a good use of the session and would be messed up in case of several windows, and as you said, method 2 opens to XSS.
Store the different messages either in a file or a database, and pass the key to the script. If you need to customize your messages, pass the data through a post request (and validate it to prevent XSS) and use patterns to replace the values in the message.
0 comments:
Post a Comment