Loading ...
Sorry, an error occurred while loading the content.

Re: [agile-usability] Back button

Expand Messages
  • William Wake
    ... It s been a while for me on this too. We rejected (pure) client-side solutions as well: if you assume the possibility of a malicious user (who can t?), you
    Message 1 of 42 , Nov 23, 2004
    • 0 Attachment
      > > From: Lisa Crispin [mailto:lisa.crispin@...]
      > > How do most people handle problems that could arise from an end user
      > > clicking the back button? Is there a simple trick? Like not
      > > putting the page on the history or something?

      >On Tue, 23 Nov 2004 19:49:29 -0500, Mike <michael.net@...> wrote:
      > I'm not 100% sure but I think that client-side solutions will never work reliably
      > [...] I believe the only real solution involves comparing a session token to a
      > viewstate (or hidden field) token on the server.

      It's been a while for me on this too. We rejected (pure) client-side
      solutions as well: if you assume the possibility of a malicious user
      (who can't?), you have to.

      Our solution was:
      - use generated pages for this part of the process (so it didn't help
      to save URLs)
      - maintain a session key in the generated page, passing it back with the query
      - use some encryption tricks so users can't just make up a session key
      - make session keys temporary (expiring in say an hour) and one-use-only
      - maintain the state on the server ("this session is in step 3 of the
      checkout process; if anything except a cancel or a move to step 4
      comes in, back out to safe place")

      We only applied this in a couple key places (in a sort of checkout
      process where you wanted non-repudiation).

      I would have thought that more modern tools would take care of this in for you.

      --
      Bill Wake William.Wake@... www.xp123.com
    • Jeff Patton
      ... ... I think yesterday s weather confirms your thinking.
      Message 42 of 42 , Dec 2, 2004
      • 0 Attachment
        --- In agile-usability@yahoogroups.com, "aacockburn" <acockburn@a...>
        wrote:
        >
        > --- In agile-usability@yahoogroups.com, "Jeff Patton"
        <jpatton@a...>
        > wrote:
        > > Things to try:
        > > Capture more durable information in wiki pages. [use the
        > socialtext
        > > wiki set up by Adina Levin? thanks for doing that btw]
        >
        > I'm thinking that the eGroup is good for noisy discussion and back-
        > and-forth, and wiki is good for archiving.

        I think yesterday's weather confirms your thinking.
      Your message has been successfully submitted and would be delivered to recipients shortly.