7.2 Hidden Form Fields

Previous page
Table of content
Next page

Java Servlet Programming, 2nd Edition > 7. Session Tracking > 7.2 Hidden Form Fields

 
< BACKCONTINUE >

7.2 Hidden Form Fields

One way to support anonymous session tracking is to use hidden form fields. As the name implies, these are fields added to an HTML form that are not displayed in the client's browser. They are sent back to the server when the form that contains them is submitted. You include hidden form files with HTML like this:

<FORM ACTION="/servlet/MovieFinder" METHOD="POST"> ... <INPUT TYPE=hidden NAME="zip" VALUE="94040"> <INPUT TYPE=hidden NAME="level" VALUE="expert"> ... </FORM>

In a sense, hidden form fields define constant variables for a form. To a servlet receiving a submitted form, there is no difference between a hidden field and a visible field.

With hidden form fields, we can rewrite our shopping cart servlets so that users can shop anonymously until checkout time. Example 7-1 demonstrates the technique with a servlet that displays the user's shopping cart contents and lets the user choose to add more items or check out. An example screen for a bookworm is shown in Figure 7-1.

Example 7-1. Session Tracking Using Hidden Form Fields 
import java.io.*; import javax.servlet.*; import javax.servlet.http.*; public class ShoppingCartViewerHidden extends HttpServlet {   public void doGet(HttpServletRequest req, HttpServletResponse res)                                throws ServletException, IOException {     res.setContentType("text/html");     PrintWriter out = res.getWriter();     out.println("<HEAD><TITLE>Current Shopping Cart Items</TITLE></HEAD>");     out.println("<BODY>");     // Cart items are passed in as the item parameter.     String[] items = req.getParameterValues("item");     // Print the current cart items.     out.println("You currently have the following items in your cart:<BR>");     if (items == null) {       out.println("<B>None</B>");     }     else {       out.println("<UL>");       for (int i = 0; i < items.length; i++) {         out.println("<LI>" + items[i]);       }       out.println("</UL>");     }     // Ask if the user wants to add more items or check out.     // Include the current items as hidden fields so they'll be passed on.     out.println("<FORM ACTION=\"/servlet/ShoppingCart\" METHOD=POST>");     if (items != null) {       for (int i = 0; i < items.length; i++) {         out.println("<INPUT TYPE=HIDDEN NAME=\"item\" VALUE=\"" +           items[i] + "\">");       }     }     out.println("Would you like to<BR>");     out.println("<INPUT TYPE=SUBMIT VALUE=\" Add More Items \">");     out.println("<INPUT TYPE=SUBMIT VALUE=\" Check Out \">");     out.println("</FORM>");     out.println("</BODY></HTML>");   } }
Figure 7-1. Shopping cart contents

This servlet first reads the items that are already in the cart using getParameterValues("item"). Presumably, the item parameter values were sent to this servlet using hidden fields. The servlet then displays the current items to the user and asks if he wants to add more items or check out. The servlet asks its question with a form that includes hidden fields, so the form's target (the ShoppingCart servlet) receives the current items as part of the submission.

As more and more information is associated with a client's session, it can become burdensome to pass it all using hidden form fields. In these situations, it's possible to pass on just a unique session ID that identifies a particular client's session. That session ID can be associated with complete information about the session that is stored on the server.

Beware that session IDs must be held as a server secret because any client with knowledge of another client's session ID can, with a forged hidden form field, assume the second client's identity. Consequently, session IDs should be generated so as to be difficult to guess or forge, and active session IDs should be protected for example, don't make public the server's access log because the logged URLs may contain session IDs for forms submitted with GET requests.

Hidden form fields can be used to implement authentication with logout. Simply present an HTML form as the logon screen, and once the user has been authenticated by the server her identity can be associated with her particular session ID. On logout the session ID can be deleted (by not sending the ID to the client on later forms), or the association between ID and user can simply be forgotten. Chapter 8 demonstrates this approach in more detail.

The advantages of hidden form fields are their ubiquity and support for anonymity. Hidden fields are supported in all the popular browsers, they demand no special server requirements, and they can be used with clients that haven't registered or logged in. The major disadvantage with this technique, however, is that the session persists only through sequences of dynamically generated forms. The session cannot be maintained with static documents, emailed documents, bookmarked documents, or browser shutdowns.


Last updated on 3/20/2003
Java Servlet Programming, 2nd Edition, © 2001 O'Reilly

< BACKCONTINUE >

Previous page
Table of content
Next page
Java servlet programming
Java Servlet Programming (Java Series)
ISBN: 0596000405
EAN: 2147483647
Year: 2000
Pages: 223
Authors: Jason Hunter, William Crawford
BUY ON AMAZON
Documenting Software Architectures: Views and Beyond
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
MySQL Clustering
C & Data Structures (Charles River Media Computer Engineering)
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy