1.重複提交的情況:
①. 在表單提交到一個 Servlet, 而 Servlet 又通過請求轉發的方式響應一個 JSP(HTML) 頁面,
此時地址欄還保留着 Serlvet 的那個路徑, 在響應頁面點擊 "刷新"
②. 在響應頁面沒有到達時重複點擊 "提交按鈕".
③. 點擊 "返回", 再點擊 "提交"
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<form action="<%=request.getContextPath()%>/tokenServlet" method="post">
<input type="text" name="name"> <input type="submit">
</form>
</body>
</html>
public class TokenServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
Thread.currentThread().sleep(3000);
} catch (InterruptedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
String name = request.getParameter("name");
// 訪問數據庫服務器
System.out.println("name :" + name);
// request.getRequestDispatcher("/token/success.jsp").forward(request,
// response); // 轉發
// "/"代表WEB項目根目錄
response.sendRedirect(request.getContextPath() + "/token/success.jsp"); // 重定向
// “/”
// 代表
// WEB站點根目錄
}
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// TODO Auto-generated method stub
doGet(request, response);
}
}
2. 不是重複提交的情況: 點擊 "返回", "刷新" 原表單頁面, 再 "提交"。
3. 如何避免表單的重複提交: 在表單中做一個標記, 提交到 Servlet 時, 檢查標記是否存在且是否和預定義的標記一致, 若一致, 則受理請求,
並銷燬標記, 若不一致或沒有標記, 則直接響應提示信息: "重複提交"
方法
把標記放在 session 中
在原表單頁面, 生成一個隨機值 token
> 在原表單頁面, 把 token 值放入 session 屬性中
> 在原表單頁面, 把 token 值放入到 隱藏域 中.
> 在目標的 Servlet 中: 獲取 session 和 隱藏域 中的 token 值
> 比較兩個值是否一致: 若一致, 受理請求, 且把 session 域中的 token 屬性清除
> 若不一致, 則直接響應提示頁面: "重複提交"
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@page import="java.util.Date"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<%
String tokenValue = new Date().getTime() + "";
session.setAttribute("token", tokenValue);
%>
<form action="<%=request.getContextPath()%>/tokenServlet" method="post">
<input type="hidden" name="token" value="<%=tokenValue%>"> <input
type="text" name="name"> <input type="submit">
</form>
</body>
</html>
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
Thread.currentThread().sleep(3000);
} catch (InterruptedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
HttpSession session = request.getSession();
Object token = session.getAttribute("token");
String tokenValue = request.getParameter("token");
System.out.println(token);
System.out.println(tokenValue);
if (token != null && token.equals(tokenValue)) {
session.removeAttribute("token");
} else {
response.sendRedirect(request.getContextPath() + "/token/token.jsp");
return;
}
String name = request.getParameter("name");
// 訪問數據庫服務器
System.out.println("name :" + name);
// request.getRequestDispatcher("/token/success.jsp").forward(request,
// response); // 轉發
// "/"代表WEB項目根目錄
response.sendRedirect(request.getContextPath() + "/token/success.jsp"); // 重定向
// “/”
// 代表
// WEB站點根目錄
}
使用TokenProcessor 工具類
package com.token;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public class TokenProcessor {
public static final String TOKEN_KEY = "TOKEN_KEY";
private static final String TRANSACTION_TOKEN_KEY = "TRANSACTION_TOKEN_KEY";
private static TokenProcessor instance = new TokenProcessor();
private long previous;
protected TokenProcessor() {
super();
}
public static TokenProcessor getInstance() {
return instance;
}
public synchronized boolean isTokenValid(HttpServletRequest request) {
return this.isTokenValid(request, false);
}
public synchronized boolean isTokenValid(HttpServletRequest request, boolean reset) {
HttpSession session = request.getSession(false);
if (session == null) {
return false;
}
String saved = (String) session.getAttribute(TRANSACTION_TOKEN_KEY);
if (saved == null) {
return false;
}
if (reset) {
this.resetToken(request);
}
String token = request.getParameter(TOKEN_KEY);
if (token == null) {
return false;
}
return saved.equals(token);
}
public synchronized void resetToken(HttpServletRequest request) {
HttpSession session = request.getSession(false);
if (session == null) {
return;
}
session.removeAttribute(TRANSACTION_TOKEN_KEY);
}
public synchronized String saveToken(HttpServletRequest request) {
HttpSession session = request.getSession();
String token = generateToken(request);
if (token != null) {
session.setAttribute(TRANSACTION_TOKEN_KEY, token);
}
return token;
}
public synchronized String generateToken(HttpServletRequest request) {
HttpSession session = request.getSession();
return generateToken(session.getId());
}
public synchronized String generateToken(String id) {
try {
long current = System.currentTimeMillis();
if (current == previous) {
current++;
}
previous = current;
byte[] now = new Long(current).toString().getBytes();
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(id.getBytes());
md.update(now);
return toHex(md.digest());
} catch (NoSuchAlgorithmException e) {
return null;
}
}
private String toHex(byte[] buffer) {
StringBuffer sb = new StringBuffer(buffer.length * 2);
for (int i = 0; i < buffer.length; i++) {
sb.append(Character.forDigit((buffer[i] & 0xf0) >> 4, 16));
sb.append(Character.forDigit(buffer[i] & 0x0f, 16));
}
return sb.toString();
}
}
修改代碼
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@page import="java.util.Date"%>
<%@page import="com.token.TokenProcessor"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<%-- <%
String tokenValue = new Date().getTime() + "";
session.setAttribute("token", tokenValue);
%> --%>
<%
%>
<form action="<%=request.getContextPath()%>/tokenServlet" method="post">
<input type="hidden" name="<%=TokenProcessor.TOKEN_KEY%>"
value="<%=TokenProcessor.getInstance().generateToken(request)%>">
<input type="text" name="name"> <input type="submit">
</form>
</body>
</html>
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
Thread.currentThread().sleep(3000);
} catch (InterruptedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
// HttpSession session = request.getSession();
// Object token = session.getAttribute("token");
// String tokenValue = request.getParameter("token");
// System.out.println(token);
// System.out.println(tokenValue);
//
// if (token != null && token.equals(tokenValue)) {
// session.removeAttribute("token");
// } else {
// response.sendRedirect(request.getContextPath() + "/token/token.jsp");
// return;
// }
boolean tokenValid = TokenProcessor.getInstance().isTokenValid(request);
if (tokenValid) {
TokenProcessor.getInstance().resetToken(request);
} else {
response.sendRedirect(request.getContextPath() + "/token/token.jsp");
return;
}
String name = request.getParameter("name");
// 訪問數據庫服務器
System.out.println("name :" + name);
// request.getRequestDispatcher("/token/success.jsp").forward(request,
// response); // 轉發
// "/"代表WEB項目根目錄
response.sendRedirect(request.getContextPath() + "/token/success.jsp"); // 重定向
// “/”
// 代表
// WEB站點根目錄
}