1.重复提交的情况:
①. 在表单提交到一个 Servlet, 而 Servlet 又通过请求转发的方式响应一个 JSP(HTML) 页面,
此时地址栏还保留着 Serlvet 的那个路径, 在响应页面点击 "刷新"
②. 在响应页面没有到达时重复点击 "提交按钮".
③. 点击 "返回", 再点击 "提交"
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<form action="<%=request.getContextPath()%>/tokenServlet" method="post">
<input type="text" name="name"> <input type="submit">
</form>
</body>
</html>
public class TokenServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
Thread.currentThread().sleep(3000);
} catch (InterruptedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
String name = request.getParameter("name");
// 访问数据库服务器
System.out.println("name :" + name);
// request.getRequestDispatcher("/token/success.jsp").forward(request,
// response); // 转发
// "/"代表WEB项目根目录
response.sendRedirect(request.getContextPath() + "/token/success.jsp"); // 重定向
// “/”
// 代表
// WEB站点根目录
}
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// TODO Auto-generated method stub
doGet(request, response);
}
}
2. 不是重复提交的情况: 点击 "返回", "刷新" 原表单页面, 再 "提交"。
3. 如何避免表单的重复提交: 在表单中做一个标记, 提交到 Servlet 时, 检查标记是否存在且是否和预定义的标记一致, 若一致, 则受理请求,
并销毁标记, 若不一致或没有标记, 则直接响应提示信息: "重复提交"
方法
把标记放在 session 中
在原表单页面, 生成一个随机值 token
> 在原表单页面, 把 token 值放入 session 属性中
> 在原表单页面, 把 token 值放入到 隐藏域 中.
> 在目标的 Servlet 中: 获取 session 和 隐藏域 中的 token 值
> 比较两个值是否一致: 若一致, 受理请求, 且把 session 域中的 token 属性清除
> 若不一致, 则直接响应提示页面: "重复提交"
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@page import="java.util.Date"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<%
String tokenValue = new Date().getTime() + "";
session.setAttribute("token", tokenValue);
%>
<form action="<%=request.getContextPath()%>/tokenServlet" method="post">
<input type="hidden" name="token" value="<%=tokenValue%>"> <input
type="text" name="name"> <input type="submit">
</form>
</body>
</html>
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
Thread.currentThread().sleep(3000);
} catch (InterruptedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
HttpSession session = request.getSession();
Object token = session.getAttribute("token");
String tokenValue = request.getParameter("token");
System.out.println(token);
System.out.println(tokenValue);
if (token != null && token.equals(tokenValue)) {
session.removeAttribute("token");
} else {
response.sendRedirect(request.getContextPath() + "/token/token.jsp");
return;
}
String name = request.getParameter("name");
// 访问数据库服务器
System.out.println("name :" + name);
// request.getRequestDispatcher("/token/success.jsp").forward(request,
// response); // 转发
// "/"代表WEB项目根目录
response.sendRedirect(request.getContextPath() + "/token/success.jsp"); // 重定向
// “/”
// 代表
// WEB站点根目录
}
使用TokenProcessor 工具类
package com.token;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public class TokenProcessor {
public static final String TOKEN_KEY = "TOKEN_KEY";
private static final String TRANSACTION_TOKEN_KEY = "TRANSACTION_TOKEN_KEY";
private static TokenProcessor instance = new TokenProcessor();
private long previous;
protected TokenProcessor() {
super();
}
public static TokenProcessor getInstance() {
return instance;
}
public synchronized boolean isTokenValid(HttpServletRequest request) {
return this.isTokenValid(request, false);
}
public synchronized boolean isTokenValid(HttpServletRequest request, boolean reset) {
HttpSession session = request.getSession(false);
if (session == null) {
return false;
}
String saved = (String) session.getAttribute(TRANSACTION_TOKEN_KEY);
if (saved == null) {
return false;
}
if (reset) {
this.resetToken(request);
}
String token = request.getParameter(TOKEN_KEY);
if (token == null) {
return false;
}
return saved.equals(token);
}
public synchronized void resetToken(HttpServletRequest request) {
HttpSession session = request.getSession(false);
if (session == null) {
return;
}
session.removeAttribute(TRANSACTION_TOKEN_KEY);
}
public synchronized String saveToken(HttpServletRequest request) {
HttpSession session = request.getSession();
String token = generateToken(request);
if (token != null) {
session.setAttribute(TRANSACTION_TOKEN_KEY, token);
}
return token;
}
public synchronized String generateToken(HttpServletRequest request) {
HttpSession session = request.getSession();
return generateToken(session.getId());
}
public synchronized String generateToken(String id) {
try {
long current = System.currentTimeMillis();
if (current == previous) {
current++;
}
previous = current;
byte[] now = new Long(current).toString().getBytes();
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(id.getBytes());
md.update(now);
return toHex(md.digest());
} catch (NoSuchAlgorithmException e) {
return null;
}
}
private String toHex(byte[] buffer) {
StringBuffer sb = new StringBuffer(buffer.length * 2);
for (int i = 0; i < buffer.length; i++) {
sb.append(Character.forDigit((buffer[i] & 0xf0) >> 4, 16));
sb.append(Character.forDigit(buffer[i] & 0x0f, 16));
}
return sb.toString();
}
}
修改代码
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@page import="java.util.Date"%>
<%@page import="com.token.TokenProcessor"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<%-- <%
String tokenValue = new Date().getTime() + "";
session.setAttribute("token", tokenValue);
%> --%>
<%
%>
<form action="<%=request.getContextPath()%>/tokenServlet" method="post">
<input type="hidden" name="<%=TokenProcessor.TOKEN_KEY%>"
value="<%=TokenProcessor.getInstance().generateToken(request)%>">
<input type="text" name="name"> <input type="submit">
</form>
</body>
</html>
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
Thread.currentThread().sleep(3000);
} catch (InterruptedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
// HttpSession session = request.getSession();
// Object token = session.getAttribute("token");
// String tokenValue = request.getParameter("token");
// System.out.println(token);
// System.out.println(tokenValue);
//
// if (token != null && token.equals(tokenValue)) {
// session.removeAttribute("token");
// } else {
// response.sendRedirect(request.getContextPath() + "/token/token.jsp");
// return;
// }
boolean tokenValid = TokenProcessor.getInstance().isTokenValid(request);
if (tokenValid) {
TokenProcessor.getInstance().resetToken(request);
} else {
response.sendRedirect(request.getContextPath() + "/token/token.jsp");
return;
}
String name = request.getParameter("name");
// 访问数据库服务器
System.out.println("name :" + name);
// request.getRequestDispatcher("/token/success.jsp").forward(request,
// response); // 转发
// "/"代表WEB项目根目录
response.sendRedirect(request.getContextPath() + "/token/success.jsp"); // 重定向
// “/”
// 代表
// WEB站点根目录
}