Struts token mechanism prevents repeated savetoken (request) resetToken (request) Submissions)

In web development, you often encounter the following problem: After you click the submit button on the page, the data is saved to the database, and then press F5 to refresh the page, and the same data is generated. Solution: struts token mechanism.

The principle of struts token is very simple: before entering the page, struts generates a unique value and stores it in session context. When you jump to the page, set this value to a hidden value (<inputtype = "hidden" id = "org.apache.struts.taglib.html. TOKEN "name =" org.apache.struts.taglib.html. TOKEN "value =" XXXXXXXXXX "> ). When the user submits the request, the value in the hidden field of the page is compared with the value saved in the session in the background. You must call resetToken (request) at the same time in the background. If the request is consistent, the submission is successful; otherwise, the submission fails. The first submission. The page and session values are consistent and the submission is successful. The second time, because the resetToken (request); method has been called, the value in the session has been cleared, and it must be different from the value on the page, and the submission fails.

Basic steps:

The flow is usually like this:

On initial request:
1. saveToken (request)
2. forward to JSP

When user submits form:
3. check if isTokenValid (request)
4. if true, process request then call resetToken (); otherwise, submission is not valid.

What's happening under the hood:
@ 1 Struts will generate a unique value (the token) and keep it in the session context
@ 2 When the JSP is rendered, Struts inserts the token as a hidden field
@ 3 The hidden field token is submitted along with the rest of the form and isValidToken () checks the value that came in with the current request against the value that was saved in the session context by the most recent saveToken () call. if the two token values match, the submission is valid.

Request Initialization

1. Call the saveToken (request) method.

2. Jump to the JSP page

When a user submits a form

3. Check whether the page value is consistent with the value saved in the session.

4. If the request is consistent, the request is processed and the resetToken () method is called. If the request is inconsistent, the request fails to be submitted (the request is not processed)

What operations are performed below:

@ 1struts generates a unique value and stores it in session context.

@ 2 when the JSP page is rendered, struts inserts the token value as a hidden field

@ 3 hide the field and submit it together with the form submitted by the user. The isValidToken () method in the background checks whether the value of the hidden domain of the current request is consistent with that of the background session. The request is submitted successfully. Otherwise, the request fails.