tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <ahardy.str...@cyberspaceroad.com>
Subject Re: Form Double Submit Detection
Date Tue, 28 Oct 2003 10:40:36 GMT
On 10/28/2003 10:42 AM Walker Chris wrote:
> Tom,
> 
> You can also put JavaScript code in the form's onSubmit event code to
> disable all the elements in the form.  To make sure this happens after
> submission (otherwise nothing gets submitted) use window.setTimeout() to run
> the disable script after a short delay.
> 
> Another alternative is to put a unique token in a hidden field.  The server
> keeps track of these tokens: once one is "spent" by submitting the form it
> can't be reused.  This is more bulletproof but needs more coding (though I
> expect you could use a filter to localize it).

jakarta struts has some good token creation code in their TokenProcessor 
class.

Struts uses it so: on requesting the form, struts creates the token, 
stores it in a hidden field in the form and in the session. On submit, 
it checks the value of the hidden field against the value in the 
session. If they are not the same or are missing, it means the token in 
the form is invalid.

I suped up this mechanism to overcome the problem that users opening 
multiple windows would invalidate the tokens in the all but the most 
recently opened windows.

I don't store the token in the session. When the form submits, I check 
the session for a hashmap, & if the token is not in the hashmap, I allow 
the transaction and then put the token in the hashmap.

Adam

-- 
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message