Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Java (http://www.velocityreviews.com/forums/f30-java.html)
-   -   jsp form double posting (http://www.velocityreviews.com/forums/t128599-jsp-form-double-posting.html)

Guru 11-12-2003 02:07 PM

jsp form double posting
 
Hi,
I have a couple of jsp forms that double post down to the last
millisecond. I have used simple javascript to lock the form

function lockForm(frm)
{
if(frm.Submit.value == 'Submit')
{
frm.submit();
frm.Submit.value = 'Please Wait';
frm.Submit.disabled = true;
}
}


Somehow, folks still manage to double click on it. Is this an issue
with tomcat?

Can someone please explain to me the method of using session variables
to create tokens and pass the token around to prevent double clicks?
I have read a bit about this way of validation but don't know how
exactly to implement it.

Thanks,
Guru

Sergio Juan 11-12-2003 02:36 PM

Re: jsp form double posting
 
Just a couple of bits...

1. You are disabling submit after sending the form. As it depends on the
network, maybe this time is long enough for another click.
2. The easier/quickier the check is, more improbable is for someone to
bypass it.

I would try

var submited = false;

function lockForm(frm) {
if(frm.Submit.value == 'Submit') {
if (!submited) {
submited=true;
frm.Submit.disabled=true;
frm.Submit.value='Please Wait';
frm.submit()
}
}
}

HTH
"Guru" <gmandavia@smartbrief.com> escribió en el mensaje
news:bdc28426.0311120607.550cd09f@posting.google.c om...
> Hi,
> I have a couple of jsp forms that double post down to the last
> millisecond. I have used simple javascript to lock the form
>
> function lockForm(frm)
> {
> if(frm.Submit.value == 'Submit')
> {
> frm.submit();
> frm.Submit.value = 'Please Wait';
> frm.Submit.disabled = true;
> }
> }
>
>
> Somehow, folks still manage to double click on it. Is this an issue
> with tomcat?
>
> Can someone please explain to me the method of using session variables
> to create tokens and pass the token around to prevent double clicks?
> I have read a bit about this way of validation but don't know how
> exactly to implement it.
>
> Thanks,
> Guru




Erwin Moller 11-12-2003 02:41 PM

Re: jsp form double posting
 
Guru wrote:

> Hi,
> I have a couple of jsp forms that double post down to the last
> millisecond. I have used simple javascript to lock the form
>
> function lockForm(frm)
> {
> if(frm.Submit.value == 'Submit')
> {
> frm.submit();
> frm.Submit.value = 'Please Wait';
> frm.Submit.disabled = true;
> }
> }
>
>
> Somehow, folks still manage to double click on it. Is this an issue
> with tomcat?
>
> Can someone please explain to me the method of using session variables
> to create tokens and pass the token around to prevent double clicks?
> I have read a bit about this way of validation but don't know how
> exactly to implement it.
>
> Thanks,
> Guru


Them impatient people. ;-)

I think the easiest way to get around this is using Javascript.
Of course you can code it into your servlets too, but a clientside approach
is a lot easier I think.
Try something like this (not tested yet, but should work):

var bAlreadyPosted = false;
function lockForm(frm)
{
if(frm.Submit.value == 'Submit')
{
if (!bAlreadyPosted) {
bAlreadyPosted = true;
frm.submit();
frm.Submit.value = 'Please Wait';
frm.Submit.disabled = true;
} else {
alert ("YOU IMPATIENT PEOPLE! Give the computer a sporting chance!");
}
}
}


Of course, when a double posting makes your live really misserable, you
*should* do more than this, because another programmer can easily
circumvent this double posting.
If you want some serverside check, try something like this:
1) generate a unique big token and store it somewhere (db eg)
2) put this token as a hidden variable into the form you generate.
3) when the server receives that particular form let your servlet check if
the token exists. If it exists, delete it immediatly, and do your
formprocessing as usual.
If it doesn't exists, ignore the posting, or complain to the user.

Regards,
Erwin Moller

Guru 11-12-2003 08:06 PM

Re: jsp form double posting
 
Erwin Moller <since_humans_read_this_I_am_spammed_too_much@spam yourself.com> wrote in message news:<3fb24620$0$58714$e4fe514c@news.xs4all.nl>...
> Guru wrote:
>
> > Hi,
> > I have a couple of jsp forms that double post down to the last
> > millisecond. I have used simple javascript to lock the form
> >
> > function lockForm(frm)
> > {
> > if(frm.Submit.value == 'Submit')
> > {
> > frm.submit();
> > frm.Submit.value = 'Please Wait';
> > frm.Submit.disabled = true;
> > }
> > }
> >
> >
> > Somehow, folks still manage to double click on it. Is this an issue
> > with tomcat?
> >
> > Can someone please explain to me the method of using session variables
> > to create tokens and pass the token around to prevent double clicks?
> > I have read a bit about this way of validation but don't know how
> > exactly to implement it.
> >
> > Thanks,
> > Guru

>
> Them impatient people. ;-)
>
> I think the easiest way to get around this is using Javascript.
> Of course you can code it into your servlets too, but a clientside approach
> is a lot easier I think.
> Try something like this (not tested yet, but should work):
>
> var bAlreadyPosted = false;
> function lockForm(frm)
> {
> if(frm.Submit.value == 'Submit')
> {
> if (!bAlreadyPosted) {
> bAlreadyPosted = true;
> frm.submit();
> frm.Submit.value = 'Please Wait';
> frm.Submit.disabled = true;
> } else {
> alert ("YOU IMPATIENT PEOPLE! Give the computer a sporting chance!");
> }
> }
> }
>
>
> Of course, when a double posting makes your live really misserable, you
> *should* do more than this, because another programmer can easily
> circumvent this double posting.
> If you want some serverside check, try something like this:
> 1) generate a unique big token and store it somewhere (db eg)
> 2) put this token as a hidden variable into the form you generate.
> 3) when the server receives that particular form let your servlet check if
> the token exists. If it exists, delete it immediatly, and do your
> formprocessing as usual.
> If it doesn't exists, ignore the posting, or complain to the user.
>
> Regards,
> Erwin Moller



Thanks folks. I will try the first solution about disabling the
button first before posting the form. If that still fails, will try
the token solution. In any case, would the javascript solution break
if javascript is disabled? Is there a way to check for this? What to
do in that case?

Thx again,
Guru

Erwin Moller 11-17-2003 11:40 AM

Re: jsp form double posting
 
<snip>

>
> Thanks folks. I will try the first solution about disabling the
> button first before posting the form. If that still fails, will try
> the token solution. In any case, would the javascript solution break
> if javascript is disabled? Is there a way to check for this? What to
> do in that case?
>
> Thx again,
> Guru


Hi,

If javascript is disabled the javascriptsolution will not work, even worse,
if implemented as I suggested, your whole form will not be submitted
because javascript give the form.submit() command.

No workaround there I am afraid.

If you think the token-approach is too complicated, you can do it a little
more 'dirty', but easier like this:

use the session of the user to make sure he/she won't post the same form
within, say, 2 seconds, or whatever you think is a double impatient click.

You can store in the session a timestamp, and before inserting thing into a
database, you check if more than 2 seconds have passed by comparing the
timestamp in the session with the current time.

if the time passed is less than what you consider reasonable, you refuse the
second posting.

This is very easy to implement.

Good luck,

Let us know how you solved it.

Regards,
Erwin Moller


All times are GMT. The time now is 04:39 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.