aspose file tools*
The moose likes JSP and the fly likes restricting users resubmiting requests Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "restricting users resubmiting requests" Watch "restricting users resubmiting requests" New topic
Author

restricting users resubmiting requests

Tony Williamson
Greenhorn

Joined: Feb 15, 2009
Posts: 6
How can i stop users using back button, refresh etc. to make requests that i don't want them to make? For example if the the user submits a form which inserts a database record then presses refresh they submit another databse record the same.

i notice on other sites it will say "this page has expired" or something similar.

When searching i found info about a PRG pattern, is this the best method or is there other ways. I would like to the use the simplest method possible.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61662
    
  67

PRG is your best practice.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Tony Williamson
Greenhorn

Joined: Feb 15, 2009
Posts: 6
Bear Bibeault wrote:PRG is your best practice.

I read two articles about it but i'm not sure if it is possible in my application without redesigning the whole thing.

Is there any other way to do it?
Bauke Scholtz
Ranch Hand

Joined: Oct 08, 2006
Posts: 2458
Tony Williamson wrote:i notice on other sites it will say "this page has expired" or something similar.
Disable client side caching of the page by setting the cache-control, pragma and expires headers accordingly.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61662
    
  67

Cache control won't help with the problem or resubmit a POST sitting on the page.

You either need to refactor the app, or bend over backwards to try and determine if an action is being repeated.
Bauke Scholtz
Ranch Hand

Joined: Oct 08, 2006
Posts: 2458
No, that not. You already mentioned the PRG pattern for that.

Another alternative is a (preshared) key with an unique identifier in the session scope which is been passed as request parameter and is immediately handled on the very beginning of the request processing. Apache's MVC framework Struts uses this technique under the caller "token".
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61662
    
  67

Using that technique, care must be taken that the token isn't just recreates as part of the refresh, but that may the path of least resistance in this case.
Tony Williamson
Greenhorn

Joined: Feb 15, 2009
Posts: 6
Thanks for the help guys. I think il try the token method.

is their a specific term for this method that well help me find more info about it. I'm not sure how to make it work.
Bauke Scholtz
Ranch Hand

Joined: Oct 08, 2006
Posts: 2458
1) Generate an unique key.
2) Store it in a collection in the session scope.
3) Add this key to the form as a hidden input value.
4) On processing of the request immediately check if the key is present in the collection in the session scope.
5a) If it is present, remove it from the collection and proceed with request.
5b) If it is absent (can be caused by either double submit or expiration of session), abort the request.
Rahul Ba
Ranch Hand

Joined: Oct 01, 2008
Posts: 205
Yes you should use token concept from Struts.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: restricting users resubmiting requests