• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

restricting users resubmiting requests

 
Tony Williamson
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How can i stop users using back button, refresh etc. to make requests that i don't want them to make? For example if the the user submits a form which inserts a database record then presses refresh they submit another databse record the same.

i notice on other sites it will say "this page has expired" or something similar.

When searching i found info about a PRG pattern, is this the best method or is there other ways. I would like to the use the simplest method possible.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65216
95
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
PRG is your best practice.
 
Tony Williamson
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:PRG is your best practice.

I read two articles about it but i'm not sure if it is possible in my application without redesigning the whole thing.

Is there any other way to do it?
 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tony Williamson wrote:i notice on other sites it will say "this page has expired" or something similar.
Disable client side caching of the page by setting the cache-control, pragma and expires headers accordingly.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65216
95
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Cache control won't help with the problem or resubmit a POST sitting on the page.

You either need to refactor the app, or bend over backwards to try and determine if an action is being repeated.
 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No, that not. You already mentioned the PRG pattern for that.

Another alternative is a (preshared) key with an unique identifier in the session scope which is been passed as request parameter and is immediately handled on the very beginning of the request processing. Apache's MVC framework Struts uses this technique under the caller "token".
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65216
95
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Using that technique, care must be taken that the token isn't just recreates as part of the refresh, but that may the path of least resistance in this case.
 
Tony Williamson
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the help guys. I think il try the token method.

is their a specific term for this method that well help me find more info about it. I'm not sure how to make it work.
 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1) Generate an unique key.
2) Store it in a collection in the session scope.
3) Add this key to the form as a hidden input value.
4) On processing of the request immediately check if the key is present in the collection in the session scope.
5a) If it is present, remove it from the collection and proceed with request.
5b) If it is absent (can be caused by either double submit or expiration of session), abort the request.
 
Rahul Ba
Ranch Hand
Posts: 210
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes you should use token concept from Struts.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic