jsp form double posting

Discussion in 'Java' started by Guru, Nov 12, 2003.

  1. Guru

    Guru Guest

    Hi,
    I have a couple of jsp forms that double post down to the last
    millisecond. I have used simple javascript to lock the form

    function lockForm(frm)
    {
    if(frm.Submit.value == 'Submit')
    {
    frm.submit();
    frm.Submit.value = 'Please Wait';
    frm.Submit.disabled = true;
    }
    }


    Somehow, folks still manage to double click on it. Is this an issue
    with tomcat?

    Can someone please explain to me the method of using session variables
    to create tokens and pass the token around to prevent double clicks?
    I have read a bit about this way of validation but don't know how
    exactly to implement it.

    Thanks,
    Guru
     
    Guru, Nov 12, 2003
    #1
    1. Advertising

  2. Guru

    Sergio Juan Guest

    Just a couple of bits...

    1. You are disabling submit after sending the form. As it depends on the
    network, maybe this time is long enough for another click.
    2. The easier/quickier the check is, more improbable is for someone to
    bypass it.

    I would try

    var submited = false;

    function lockForm(frm) {
    if(frm.Submit.value == 'Submit') {
    if (!submited) {
    submited=true;
    frm.Submit.disabled=true;
    frm.Submit.value='Please Wait';
    frm.submit()
    }
    }
    }

    HTH
    "Guru" <> escribió en el mensaje
    news:...
    > Hi,
    > I have a couple of jsp forms that double post down to the last
    > millisecond. I have used simple javascript to lock the form
    >
    > function lockForm(frm)
    > {
    > if(frm.Submit.value == 'Submit')
    > {
    > frm.submit();
    > frm.Submit.value = 'Please Wait';
    > frm.Submit.disabled = true;
    > }
    > }
    >
    >
    > Somehow, folks still manage to double click on it. Is this an issue
    > with tomcat?
    >
    > Can someone please explain to me the method of using session variables
    > to create tokens and pass the token around to prevent double clicks?
    > I have read a bit about this way of validation but don't know how
    > exactly to implement it.
    >
    > Thanks,
    > Guru
     
    Sergio Juan, Nov 12, 2003
    #2
    1. Advertising

  3. Guru

    Erwin Moller Guest

    Guru wrote:

    > Hi,
    > I have a couple of jsp forms that double post down to the last
    > millisecond. I have used simple javascript to lock the form
    >
    > function lockForm(frm)
    > {
    > if(frm.Submit.value == 'Submit')
    > {
    > frm.submit();
    > frm.Submit.value = 'Please Wait';
    > frm.Submit.disabled = true;
    > }
    > }
    >
    >
    > Somehow, folks still manage to double click on it. Is this an issue
    > with tomcat?
    >
    > Can someone please explain to me the method of using session variables
    > to create tokens and pass the token around to prevent double clicks?
    > I have read a bit about this way of validation but don't know how
    > exactly to implement it.
    >
    > Thanks,
    > Guru


    Them impatient people. ;-)

    I think the easiest way to get around this is using Javascript.
    Of course you can code it into your servlets too, but a clientside approach
    is a lot easier I think.
    Try something like this (not tested yet, but should work):

    var bAlreadyPosted = false;
    function lockForm(frm)
    {
    if(frm.Submit.value == 'Submit')
    {
    if (!bAlreadyPosted) {
    bAlreadyPosted = true;
    frm.submit();
    frm.Submit.value = 'Please Wait';
    frm.Submit.disabled = true;
    } else {
    alert ("YOU IMPATIENT PEOPLE! Give the computer a sporting chance!");
    }
    }
    }


    Of course, when a double posting makes your live really misserable, you
    *should* do more than this, because another programmer can easily
    circumvent this double posting.
    If you want some serverside check, try something like this:
    1) generate a unique big token and store it somewhere (db eg)
    2) put this token as a hidden variable into the form you generate.
    3) when the server receives that particular form let your servlet check if
    the token exists. If it exists, delete it immediatly, and do your
    formprocessing as usual.
    If it doesn't exists, ignore the posting, or complain to the user.

    Regards,
    Erwin Moller
     
    Erwin Moller, Nov 12, 2003
    #3
  4. Guru

    Guru Guest

    Erwin Moller <> wrote in message news:<3fb24620$0$58714$4all.nl>...
    > Guru wrote:
    >
    > > Hi,
    > > I have a couple of jsp forms that double post down to the last
    > > millisecond. I have used simple javascript to lock the form
    > >
    > > function lockForm(frm)
    > > {
    > > if(frm.Submit.value == 'Submit')
    > > {
    > > frm.submit();
    > > frm.Submit.value = 'Please Wait';
    > > frm.Submit.disabled = true;
    > > }
    > > }
    > >
    > >
    > > Somehow, folks still manage to double click on it. Is this an issue
    > > with tomcat?
    > >
    > > Can someone please explain to me the method of using session variables
    > > to create tokens and pass the token around to prevent double clicks?
    > > I have read a bit about this way of validation but don't know how
    > > exactly to implement it.
    > >
    > > Thanks,
    > > Guru

    >
    > Them impatient people. ;-)
    >
    > I think the easiest way to get around this is using Javascript.
    > Of course you can code it into your servlets too, but a clientside approach
    > is a lot easier I think.
    > Try something like this (not tested yet, but should work):
    >
    > var bAlreadyPosted = false;
    > function lockForm(frm)
    > {
    > if(frm.Submit.value == 'Submit')
    > {
    > if (!bAlreadyPosted) {
    > bAlreadyPosted = true;
    > frm.submit();
    > frm.Submit.value = 'Please Wait';
    > frm.Submit.disabled = true;
    > } else {
    > alert ("YOU IMPATIENT PEOPLE! Give the computer a sporting chance!");
    > }
    > }
    > }
    >
    >
    > Of course, when a double posting makes your live really misserable, you
    > *should* do more than this, because another programmer can easily
    > circumvent this double posting.
    > If you want some serverside check, try something like this:
    > 1) generate a unique big token and store it somewhere (db eg)
    > 2) put this token as a hidden variable into the form you generate.
    > 3) when the server receives that particular form let your servlet check if
    > the token exists. If it exists, delete it immediatly, and do your
    > formprocessing as usual.
    > If it doesn't exists, ignore the posting, or complain to the user.
    >
    > Regards,
    > Erwin Moller



    Thanks folks. I will try the first solution about disabling the
    button first before posting the form. If that still fails, will try
    the token solution. In any case, would the javascript solution break
    if javascript is disabled? Is there a way to check for this? What to
    do in that case?

    Thx again,
    Guru
     
    Guru, Nov 12, 2003
    #4
  5. Guru

    Erwin Moller Guest

    <snip>

    >
    > Thanks folks. I will try the first solution about disabling the
    > button first before posting the form. If that still fails, will try
    > the token solution. In any case, would the javascript solution break
    > if javascript is disabled? Is there a way to check for this? What to
    > do in that case?
    >
    > Thx again,
    > Guru


    Hi,

    If javascript is disabled the javascriptsolution will not work, even worse,
    if implemented as I suggested, your whole form will not be submitted
    because javascript give the form.submit() command.

    No workaround there I am afraid.

    If you think the token-approach is too complicated, you can do it a little
    more 'dirty', but easier like this:

    use the session of the user to make sure he/she won't post the same form
    within, say, 2 seconds, or whatever you think is a double impatient click.

    You can store in the session a timestamp, and before inserting thing into a
    database, you check if more than 2 seconds have passed by comparing the
    timestamp in the session with the current time.

    if the time passed is less than what you consider reasonable, you refuse the
    second posting.

    This is very easy to implement.

    Good luck,

    Let us know how you solved it.

    Regards,
    Erwin Moller
     
    Erwin Moller, Nov 17, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. alanb
    Replies:
    2
    Views:
    553
    alanb
    Apr 23, 2004
  2. Sydex
    Replies:
    12
    Views:
    6,565
    Victor Bazarov
    Feb 17, 2005
  3. Replies:
    0
    Views:
    4,440
  4. AmitKu
    Replies:
    7
    Views:
    546
    John Timney \(MVP\)
    Jan 8, 2007
  5. JSP form posting

    , Jan 4, 2009, in forum: Java
    Replies:
    2
    Views:
    1,265
    Arved Sandstrom
    Jan 4, 2009
Loading...

Share This Page