Hi
i have a problem. i am using the servlet API for session trackin but when the user cliks ctrl+n a new
browser window is opened and the session is copied .
then the user can use twice the application.
how can i prevent him continueing using the applicaion twice?
please help.
****
Hi,
Store some flag and value in the parent window, means very first window. So when the user creates new window, the parent window variable will not be copied. So you have to check those parent window variable everytime, to continue. By this way you can prevent.
Hope that helps.
Best Luck,
Senthil Babu
Developer Technical Support
SUN Microsystems
http://www.sun.com/developers/support/
> if i save flag in hidden filed it does not copied to
> the new window after ctrl n?
> thanks
Of course it does, his idea does not work. I have no idea why they post answers they've never tried out.
You can trap keystrokes in javascript so nothing will happen when a user keys down the CTRL key. All you have to do is find the ascii representation of the key you wish to trap. Here's how I stopped users from using the ESC key in a form:
IE seems to have the habit of resetting the complete form when you
press ESC inside a form element. The following code prevents that
<HTML>
<HEAD>
<STYLE>
</STYLE>
<SCRIPT>
if (document.all)
document.onkeydown = function () {
return event.keyCode != 27;
}
</SCRIPT>
</HEAD>
<BODY>
<FORM NAME="formName">
<INPUT TYPE="text" NAME"field1">
<INPUT TYPE="submit">
<INPUT TYPE="reset">
</FORM>
</BODY>
</HTML>
We had the same issue. To solve the ctrl+n issue, we place some sort of a token in the session and then we have a generic method that removes the token from the session. Here is the process...
1. user clicks on link(which hits servlet)
2. servlet interprets request and sets token in session and forwards user to the page(has to be .jsp page)
3. .jsp page calls a generic method which will check to see if token exists..
if (token exists) let page load and remove token
else redirect user elsewhere.. IE logout page
Hope this helps
I don't think it helps since the ctrl+n copy the window with the HTMLafter the HTML reach the client ( the HTML)
processes by jsp page. therefore i cant check token
in jsp page if the ctrl+n don't produce a call to the server.
correct me if I am wrong.
****
I don't think u can block function KEYS in any browsers. You can block normal key pressed events using Javascript but function keys are overridden by the browser vendors code.
Instead try using a global javascript variable which shall store the number of client side windows that have been opened. Every window in JS has a property called opener. You can probably use that property.
Once you have this figure... pass it on as a hidden variable in a form to your servlet. There you can make a check for the number of windows the user was working with before he submitted the form.
Never tried it, should be a work-around though.
JSP's can solve your problem in such cases.
Firstly, specify in the response headers 'No-Cache' so that the page doesn't get cached. That way even if the user presses a "CTRL + N" that page will be requested again from the server. The code in the scriplets will be executed again.
Given that situation, use a JavaBean in that JSP with a 'PAGE' scope. Before u instantiate this bean using the <jsp:useBean> tag check whether this bean already exists. Otherwise you could have a static property in a 'session level bean' that will be updated every time that particular page was requested. That way you can disallow the user to see any page in two windows.
Hope this helps. This is a definite solution. Revert back for any queries.
> I don't think u can block function KEYS in any
> browsers. You can block normal key pressed events
> using Javascript but function keys are overridden by
> the browser vendors code.
Please people, stop posting guesses, as it is more time consuming to deprogram the people that try these inane methods than to show them how to do it right the first time.
I've already posted how to do this in a simple javascript funtion. Now here's the equivalent in a Jscript funtion:
<BODY onload="document.body.focus();" onkeydown="ctrlDown();">
The event handler is defined as:
function ctrlDown() {
if (event.ctrlLeft) {
alert("Left CTRL Pressed");
}
else {
if (event.ctrlKey) {
alert("Right CTRL Pressed");
}
}
document.body.focus();
}
OK? Got it? Tried it? Yes it worked huh? Did you know you can trap any chars?
Now while the rest of the know universe is trapping the CTRL key these two ways, you guys can continue to invoke methods, hide variables, and create additional jsp's to parse session beans set with useless properties.
Frank Krul
JavaScript is fine, but it's not a solid solution. Sure you'll end up using a little more resources on the server side, but it isn't dependant on the client's browser. Besides, using the token technique also prevents back button and going to pages out of sequence. You basically catch multiple fish with one hook at the same time.
Forgot to mention you will need something like this on the .jsp page so it will process the .jsp page again when user refreshes page or performs ctrl-n.
response.setHeader("Pragma", "No-cache");
response.setHeader("Cache-Control", "no-cache");
response.setDateHeader("Expires",1);
Sure, if you have the following on the previous page:
response.setHeader("Pragma", "No-cache");
response.setHeader("Cache-Control", "no-cache");
response.setDateHeader("Expires",1);
And you also check the token in the session on that page. When the user clicks back.. the browser has been instructed to not cache the pages so it will process the jsp page in which your code that checks the token will be performed. Your code will check for the token and since there shouldn't be one in session, you can redirect user to login/logout/etc.. We have this check on all of our pages that we don't want the user to bookmark/refresh/ctrl-n/go back to.
We log user out and destroyed session because our app is required to be secure and we needed to force the user to follow our steps instead of them jumping around and bookmarking pages.
We have this check
> on all of our pages that we don't want the user to
> bookmark/refresh/ctrl-n/go back to.
>
>
Why don't you just check the referrer environment variable? One line pseudo:
If referrer is not from my host name then forward to login page.
This stops bookmarks, refreshes CTRL-n and go backs.
> By checking the referer, it will not prevent users
> from refreshing the page or using the back button. It
> will only tell you if the person came to your site
> using a bookmark, typing in the URL, or coming from
> another server with your link.
No kidding, that what my previous two posts containing the ECMAscript does. My referer code was in reply to your complicated method of imbedding a token:
"And you also check the token in the session on that page. When the user clicks back.. the browser has been instructed to not cache the pages so it will process the jsp page in which your code that checks the token will be performed. Your code will check for the token and since there shouldn't be one in session, you can redirect user to login/logout/etc.. We have this check on all of our pages that we don't want the user to bookmark/refresh/ctrl-n/go back to."
You can simply replace all the above with:
"If referer != host name of your choice then show login/logout/etc"
Your code above doesn't stop the user from using the back or refresh button either! So why would you say mine doesn't? Time to start thinking. My code is a one liner, and has no embedded tokens. It's much better, just give it a try...all my solutions are tried, tested and true.
Frank
>No kidding, that what my previous two posts containing
>the ECMAscript does. My referer code was in reply to
>your complicated method of imbedding a token:
The method isn't that complicated.
>Your code above doesn't stop the user from using the
>back or refresh button either! So why would you say
>mine doesn't? Time to start thinking. My code is a one
>liner, and has no embedded tokens. It's much better,
>just give it a try...all my solutions are tried, tested and
>true.
The token works fine. It prevents users from spawning new windows(ctrl-n) and using the refresh/back buttons. I don't know where your get your claim that the solution doesn't work. Perhaps some sort of miscommuniction on my part. I've never said your solution using JavaScript wouldn't work. I merelly said I would rather avoid it because it could be disabled. If refreshing/ctrl+n/back button disabling is important to your project, I would go with something that is less browser dependant. If not, javascript is fine.
> The token works fine. It prevents users from spawning
> new windows(ctrl-n) and using the refresh/back
> buttons.
Actually it doesn't. A new window will still open, you just re-direct them to a login/logout page.
I don't know where your get your claim that
> the solution doesn't work.
Please tell me where I said your solution doesn't work. I stated that it is not as simple as mine. Look, the javascript code will not spawn a window when a user tries to. Your code does, THEN it will forward you to a page of your choice. That is pretty lame in comparison.
If users have javascript turned off. (who does?) then my one line JSP code forwards them to a page much like your token does. I have redundant checks, just a few lines of code, no tokens. Pretty neat huh? I suggest you actually try the solution.
This thread is dead.
You're correct about not preventing the user from creating a new windown. What I meant to say when I said "prevent ctrl-n/spawning new windows" is that the new windown will force the user to logout and thus preventing the user from navigating the site with two browsers using the same session.
BTW, sorry about all the spam.
