WebApp Sec mailing list archives
Re: Preventing direct URL access in a J2EE environment
From: Roy Britten <r.britten () niwa co nz>
Date: Fri, 4 Mar 2005 10:58:42 +1300
On Wed, Mar 02, 2005 at 07:54:48AM -0500, Kevin Conaway wrote:
I just want to enforce that users actually click on a link to go to a certain page, not type in the URL manually.
As noted, attaching single-use tokens to each request is the most reliable way of achieving this. A lower-overhead approach (but spoofable, with effort) may be to deny all GETs to the server (other than to the initial "home" page) and have every link submit a POST request. Roy.
Current thread:
- Preventing direct URL access in a J2EE environment Kevin Conaway (Mar 01)
- Re: Preventing direct URL access in a J2EE environment Saqib Ali (Mar 01)
- Re: Preventing direct URL access in a J2EE environment RSnake (Mar 03)
- Re: Preventing direct URL access in a J2EE environment Saqib Ali (Mar 03)
- Re: Preventing direct URL access in a J2EE environment Kevin Conaway (Mar 03)
- Re: Preventing direct URL access in a J2EE environment Dwayne Ghant (Mar 03)
- RE: Preventing direct URL access in a J2EE environment David Robert (Mar 06)
- Re: Preventing direct URL access in a J2EE environment Kevin Conaway (Mar 06)
- Re: Preventing direct URL access in a J2EE environment Paul Johnston (Mar 13)
- Re: Preventing direct URL access in a J2EE environment RSnake (Mar 03)
- Re: Preventing direct URL access in a J2EE environment Jeroen van Rijn (Mar 03)
- Re: Preventing direct URL access in a J2EE environment Roy Britten (Mar 03)
- Re: Preventing direct URL access in a J2EE environment Saqib Ali (Mar 01)
- Re: Preventing direct URL access in a J2EE environment Jeroen van Rijn (Mar 03)
- <Possible follow-ups>
- RE: Preventing direct URL access in a J2EE environment Jeff Robertson (Mar 03)
- RE: Preventing direct URL access in a J2EE environment Scovetta, Michael V (Mar 03)
- RE: Preventing direct URL access in a J2EE environment Evans, Arian (Mar 06)