tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Parker <>
Subject Re: Form Double Submit Detection
Date Tue, 28 Oct 2003 23:16:18 GMT
On Tue, 2003-10-28 at 23:40, Adam Hardy wrote:

> I don't store the token in the session. When the form submits, I check 
> the session for a hashmap, & if the token is not in the hashmap, I allow 
> the transaction and then put the token in the hashmap.

Interesting. You store the successful tokens so they can't be used
again, and ignore the tokens that are never returned to the server. This
would be more efficient for the case where the user views but never
submits more forms than they view and do submit. I'll have to analyse my
traffic some time and see what my users are doing.

Currently I've implemented the opposite, I keep track of all the tokens
and drop those that the user returns. I also drop all tokens older than
2 hours (which means the user has 2 hours to submit any particular form
before the token goes away and they can't). (and obviously I store them
in the session so they all go away when the session does)

I like your solution better than mine.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message