Session Token prevention Form revisited

1. Before the form page is initialized, a token value is deposited in the session, then the token is stored in the form page hidden form field, and the initialization is started;

Call the AJAX request before the form page is initialized, generate tokens in the background, and return to the form page

1 functionGeneratetokenid () {2     varURL =apppath+ '/page/placeorder/order/generatetokenid ';3 Doajax ({4 Url:url,5Type: ' Post ',6Async:false,7Success:function(data) {8$ ("#tokenId"). val (data);9         }Ten     }); One}

 1  @RequestMapping (value = "/order/generatetokenid" )  2   @ResponseBody  3  public   String Initcreateorder ( HttpServletRequest request) { 4  String uuid = Uuid.randomuuid (). toString ();  5  HttpSession session = Request.getsession (); 
    6  Session.setattribute ("UUID" 7   UUID;  8 } 

1 <!--submit button--2 <div style= "Width:700px;margin-top:5px;text-align:center" >3     <input type= "hidden" id= "Tokenid"/>4     class= "Easyui-linkbutton" href= "javascript:void (0)" iconcls= "Icon-ok" onclick= "Docreateorder ()" > Submit Order </a>5     &nbsp;&nbsp;&nbsp;&nbsp; 6     class= "Easyui-linkbutton" href= "javascript:void (0)" iconcls= "Icon-cancel" onclick= "Closetab ()" > Cancel Order </a>7 </div>

2, when submitting the form, the hidden form field token as a parameter to the background, and from the session taken out of token comparison, if the success of the next, and remove the token value in the session; otherwise, it is counted as a duplicate submission and is returned directly.

Comparison of

1  Public synchronizedMap<string, object>Createorder (httpservletrequest request, OrderInfo OrderInfo) {2                 BooleanFlag = This. Isresubmit (Request, orderInfo);3map<string, object> resumap =NewHashmap<string, object>();4                 if(flag) {5Request.getsession (). RemoveAttribute ("UUID"));//Verify success, timely removal6                        7                         Try {8String result =Docreateorder (orderInfo);9                                 if(result== ' OK '){Ten                                        //continue with subsequent operations One}Else{ AString uuid =Initcreateorder (request);//token Reset -Resumap.put ("Tokenid", uuid); -                                 } the  -}Catch(Exception e) { -                         } -                 } +}

1 Private BooleanIsresubmit (httpservletrequest request, OrderInfo OrderInfo) {2         BooleanFlag =false;3String uuid=NULL;4         if(NULL!=request.getsession (). getattribute ("UUID"))) {5UUID = Request.getsession (). getattribute ("UUID")). toString ();6         }7String Timeid = Orderinfo.gettimeid ();//Timeid is the Tokenid8         if(NULL!=timeid &&timeid.equals (UUID)) {9Flag =true;Ten         } One         returnFlag; A}

3, if some of the following operations are validation of the form, and verify that the form is not submitted, stay on the current page, you need to reset the token value in session, and the new token into the form page hidden form field (usually Ajax return), otherwise the value in the form will be emptied.

 1  if  (result== ' OK '  2  //  continue to follow the  3 }else  {  Initcreateorder (reques t);  5  resumap.put ("Tokenid" ,uuid);  6 } 

 1  @RequestMapping (value = "/order/generatetokenid" )  2   @ResponseBody  3  public   String Initcreateorder (httpse Rvletrequest request) { 4  String uuid = Uuid.randomuuid (). toString ();  5  HttpSession session = Request.getsession ( ); 6  Session.setattribute ("UUID" 7   UUID;  8 } 

Session Token prevention Form revisited