jsp form double posting

[Guru]

Hi,
I have a couple of jsp forms that double post down to the last
millisecond. I have used simple javascript to lock the form

function lockForm(frm)
{
if(frm.Submit.value == 'Submit')
{
frm.submit();
frm.Submit.value = 'Please Wait';
frm.Submit.disabled = true;
}
}


Somehow, folks still manage to double click on it. Is this an issue
with tomcat?

Can someone please explain to me the method of using session variables
to create tokens and pass the token around to prevent double clicks?
I have read a bit about this way of validation but don't know how
exactly to implement it.

Thanks,
Guru

 

[Sergio Juan]

Just a couple of bits...

1. You are disabling submit after sending the form. As it depends on the
network, maybe this time is long enough for another click.
2. The easier/quickier the check is, more improbable is for someone to
bypass it.

I would try

var submited = false;

function lockForm(frm) {
if(frm.Submit.value == 'Submit') {
if (!submited) {
submited=true;
frm.Submit.disabled=true;
frm.Submit.value='Please Wait';
frm.submit()
}
}
}

HTH

 

[Erwin Moller]

Hi,
I have a couple of jsp forms that double post down to the last
millisecond. I have used simple javascript to lock the form

function lockForm(frm)
{
if(frm.Submit.value == 'Submit')
{
frm.submit();
frm.Submit.value = 'Please Wait';
frm.Submit.disabled = true;
}
}


Somehow, folks still manage to double click on it. Is this an issue
with tomcat?

Can someone please explain to me the method of using session variables
to create tokens and pass the token around to prevent double clicks?
I have read a bit about this way of validation but don't know how
exactly to implement it.

Thanks,
Guru

Them impatient people. ;-)

I think the easiest way to get around this is using Javascript.
Of course you can code it into your servlets too, but a clientside approach
is a lot easier I think.
Try something like this (not tested yet, but should work):

var bAlreadyPosted = false;
function lockForm(frm)
{
if(frm.Submit.value == 'Submit')
{
if (!bAlreadyPosted) {
bAlreadyPosted = true;
frm.submit();
frm.Submit.value = 'Please Wait';
frm.Submit.disabled = true;
} else {
alert ("YOU IMPATIENT PEOPLE! Give the computer a sporting chance!");
}
}
}


Of course, when a double posting makes your live really misserable, you
*should* do more than this, because another programmer can easily
circumvent this double posting.
If you want some serverside check, try something like this:
1) generate a unique big token and store it somewhere (db eg)
2) put this token as a hidden variable into the form you generate.
3) when the server receives that particular form let your servlet check if
the token exists. If it exists, delete it immediatly, and do your
formprocessing as usual.
If it doesn't exists, ignore the posting, or complain to the user.

Regards,
Erwin Moller

 

[Guru]

Them impatient people. ;-)

I think the easiest way to get around this is using Javascript.
Of course you can code it into your servlets too, but a clientside approach
is a lot easier I think.
Try something like this (not tested yet, but should work):

var bAlreadyPosted = false;
function lockForm(frm)
{
if(frm.Submit.value == 'Submit')
{
if (!bAlreadyPosted) {
bAlreadyPosted = true;
frm.submit();
frm.Submit.value = 'Please Wait';
frm.Submit.disabled = true;
} else {
alert ("YOU IMPATIENT PEOPLE! Give the computer a sporting chance!");
}
}
}


Of course, when a double posting makes your live really misserable, you
*should* do more than this, because another programmer can easily
circumvent this double posting.
If you want some serverside check, try something like this:
1) generate a unique big token and store it somewhere (db eg)
2) put this token as a hidden variable into the form you generate.
3) when the server receives that particular form let your servlet check if
the token exists. If it exists, delete it immediatly, and do your
formprocessing as usual.
If it doesn't exists, ignore the posting, or complain to the user.

Regards,
Erwin Moller

Thanks folks. I will try the first solution about disabling the
button first before posting the form. If that still fails, will try
the token solution. In any case, would the javascript solution break
if javascript is disabled? Is there a way to check for this? What to
do in that case?

Thx again,
Guru

 

[Erwin Moller]

Thanks folks. I will try the first solution about disabling the
button first before posting the form. If that still fails, will try
the token solution. In any case, would the javascript solution break
if javascript is disabled? Is there a way to check for this? What to
do in that case?

Thx again,
Guru

Hi,

If javascript is disabled the javascriptsolution will not work, even worse,
if implemented as I suggested, your whole form will not be submitted
because javascript give the form.submit() command.

No workaround there I am afraid.

If you think the token-approach is too complicated, you can do it a little
more 'dirty', but easier like this:

use the session of the user to make sure he/she won't post the same form
within, say, 2 seconds, or whatever you think is a double impatient click.

You can store in the session a timestamp, and before inserting thing into a
database, you check if more than 2 seconds have passed by comparing the
timestamp in the session with the current time.

if the time passed is less than what you consider reasonable, you refuse the
second posting.

This is very easy to implement.

Good luck,

Let us know how you solved it.

Regards,
Erwin Moller