Token control repeated login

Struts has a complete token mechanism to prevent repeated submission of forms. However, the Framework self-written by the author does not use struts, therefore, you must also use the self-writing mechanism to prevent the user from submitting the form content repeatedly due to the backoff or refresh. It is not difficult and easy to implement.

Implementation principle: consistency. When a JSP generates a form, insert a hidden <input> field into the form. This field is the token string stored on the page and saved to the session. When the user submits a form, the hidden token string is submitted together. On the server side, check whether the session contains a string equal to the token string. If yes, it indicates that the form is submitted for the first time, and then the token string stored in the session is deleted before the normal business logic flow. If not, the form is submitted repeatedly, abnormal process processing. You can warn or do nothing.

Check the code.

The first is the token main class. Class is very simple, and the main methods are annotated with the doc

/**//*
* Blog: http://hi.baidu.com/bobylou
* $ Revision: 1.1 $
* $ Date: 2007/07/18 10:02:55 $
* $ Author: Bobrow $
*/

Package com. paizuo. Framework. util;

Import java. util. arraylist;

Import javax. servlet. http. httpsession;

Public class token {

Private Static final string token_list_name = "tokenlist ";

Public static final string token_string_name = "token ";

Private Static arraylist gettokenlist (httpsession session ){
Object OBJ = session. getattribute (token_list_name );
If (OBJ! = NULL ){
Return (arraylist) OBJ;
} Else {
Arraylist tokenlist = new arraylist ();
Session. setattribute (token_list_name, tokenlist );
Return tokenlist;
}
}

Private Static void savetokenstring (string tokenstr, httpsession session ){
Arraylist tokenlist = gettokenlist (session );
Tokenlist. Add (tokenstr );
Session. setattribute (token_list_name, tokenlist );
}

Private Static string generatetokenstring (){
Return New Long (system. currenttimemillis (). tostring ();
}

/***//**
* Generate a token string, and save the string in session, then return the token string.
*
* @ Param httpsession
* Session
* @ Return a token string used for enforcing a single request for a participant transaction.
*/
Public static string gettokenstring (httpsession session ){
String tokenstr = generatetokenstring ();
Savetokenstring (tokenstr, session );
Return tokenstr;
}

/***//**
* Check whether token string is valid. If session contains the token string, return true.
* Otherwise, return false.
*
* @ Param string
* Tokenstr
* @ Param httpsession
* Session
* @ Return true: session contains tokenstr; false: Session is null or tokenstr is id not in session
*/
Public static Boolean istokenstringvalid (string tokenstr, httpsession session ){
Boolean valid = false;
If (session! = NULL ){
Arraylist tokenlist = gettokenlist (session );
If (tokenlist. Contains (tokenstr )){
Valid = true;
Tokenlist. Remove (tokenstr );
}
}
Return valid;
}
}

 

How to use it?

On the JSP page.

First import this class:

<% @ Page import = "com. paizuo. Framework. util. Token" %>

The form contains a hidden token string:

 

<Form>

<Input type = "hidden" name = "<% = token. token_string_name %>" value = "<% = token. gettokenstring (Session) %>">

</Form>
 

Check in the server action.

 

If (token. istokenstringvalid (request. getparameter (token. token_string_name), request. getsession ())){
// Perform normal business flow
}
Else {
// Process for repeated submission
}