Reset Struts2 Token? - struts2

I have a token interceptor to block double submitting a form which works great, but I'm looking to reset the token under circumstances.
Essentially what I've got in the page is a list of criteria and a submit button. When the user clicks the submit button, the criteria is stored as a new row in a specific table in the database. An ajax call updates the div underneath the form with a succeeded or failed message. The token works in that I don't want the user attempting to add duplicate rows. However, if you user changes the criteria (either by choosing a different option in a drop-down menu or editing the text in s:textfield) I want it to reset the token to allow form submission again. Currently the user has to go back and fill out a new form which is somewhat inconvenient.
I'm using the standard s:token in the .jsp and interceptor lines in struts.xml. I've been searching for something to reset the token but I haven't found anything. Thanks.

The token is a value in session under "struts.token" and in the form as "struts.token.name".
Since you're making an Ajax request underneath the easiest would likely be to set the session token to whatever is already in the form, or to create your own token interceptor (it's quite short, although it uses a static TokenHelper class, which is unfortunate–noted and logged as something to do) that changes the definition of "multiple" submit. (Hash of form vals? Not sure, never given this much thought.)

I couldn't find any answers on google and I don't appear to be getting any answers here so what I did is created a new button called "Clear Form" which calls some javascript to refresh the page and therefore resetting the token and the forms. Not the most elegant but it works.

Related

One view having multiple button in asp.net mvc

I am not able to understand the flow on this page
how they are doing in MVC http://demo.nopcommerce.com/onepagecheckout
till now i created only one button for one page (view ) or provide me some similar link or similar code so i can understand
i want to implement same in my application
Thanks in Advance
The page is using AJAX to achieve the effect. Let's go through how it works.
The page is divided up into four sections.
Billing Address
Payment Method
Payment Information
Confirm Order
Each section is treated separately and are likely rendered using partial views. Each section has it's own form. When the user fills out a section and then submits that section, the form is submitted to a particular action. The Billing Address section submits its form to /checkout/OpcSaveBilling, the Payment Method section submits its form to /checkout/OpcSavePaymentMethod and so on.
When these forms are submitted (asynchronously, remember), the server handles the business logic and the validation and returns a result in the form of JSON. The JSON describes what happened, i.e. the result of the validation (success or fail), any errors that occurred and also contains HTML that the page can use to redisplay that particular section.
How is this data being remembered? Sessions. When forms are successful in their submission, the form data is stored per user in the session data. This way the system knows each user's settings and also knows where they are up to in the process.
The final step, Confirm Order, doesn't bother sending any form data because the server already knows everything through the session information.

already logged page should be display when open new tab in struts2

I developing Struts2 project.
In that project the user can log in and do something its work fine.
If that user open the new tab and type my project url it will show the same page(after login page).
How do I implement the above scenario?
One way would be doing like described here, in a question almost identical to your (concept is the same, only the implementation, on .NET, differs).
Calculate an unique value each time you pass in the Action, then put
it in a session variable (that is server side) and use it to feed an
hidden field on the web page (that is client side).
When the page will post back (submit) the form containing your hidden field, you
will see if the page field and the session field are the same.
If yes: it is (the only OR) the last page / tab opened.
If no: you are trying to submit the form from a page that is not the
last page opened.
This way, you will always have only one instance of the web application, and if you open another instance of the web application in a new page / tab, it will invalidate the previous one: only the last opened will be valid (because of multiple hidden fields, one for each page, but only one session variable).
IF you really need (do you?) to prevent the user opening a new tab instead of ensuring a single instance for the web-app, start working from this principle and eventually come back here (better with some code)

Parameters through postback

I'm working with Ruby on rails 2.3.4 and I'd like to pass some parameters from one page to another ones the first one is submitted.
For example:
On the first page, I have a form that when it's filled a Preview button can be clicked to check all the info entered before submitting the form. That button redirects to another page with the info entered before, but I don't know how to get it in the second page.
There are two possible solutions:
You can emulate the stepped form filling by creating a record in first form and saving it with status "unverified" or "pending". This way you won't have to deal with hidden form fields in 2nd and 3rd pages. All you'll need to pass is the id of pending record. You'll just need to update record status to "active" once the data is confirmed.
Use client side paginated from (all popular JS frameworks have plugins for this). Hence you will only display different <div>s in single loaded page (something like an interface for a setup wizard).

What methods are available to stop multiple postbacks of a form in ASP.NET MVC?

A common web problem is where a user clicks the submit button of a form multiple times so the server processes the form more than once. This can also happen when a user hits the back button having submitted a form and so it gets processed again.
What is the best way of stopping this from happening in ASP.NET MVC?
Possibilities as I see it are:
Disable the button after submit - this gets round the multiple clicks but not the navigation
Have the receiving action redirect immediately - browsers seem to leave these redirects out of the history
Place a unique token in the session and on the form - if they match process the form - if not clear the form for a fresh submit
Are there more?
Are there some specific implementations of any of these?
I can see the third option being implemented as an ActionFilter with a HtmlHelper extension in a similar manner to the anti-forgery stuff.
Looking forward to hearing from you MVC'ers out there.
Often people overlook the most conventional way to handle this which is to use nonce keys.
You can use PRG as others have mentioned but the downside with PRG is that it doesn't solve the double-click problem, it requires an extra trip to the server for the redirect, and since the last step is a GET request you don't have direct access to the data that was just posted (though it could be passed as a query param or maintained on the server side).
I like the Javascript solution because it works most of the time.
Nonce keys however, work all the time. The nonce key is a random unique GUID generated by the server (also saved in the database) and embedded in the form. When the user POSTs the form, the nonce key also gets posted. As soon as a POST comes in to the server, the server verifies the nonce key exists in its database. If it does, the server deletes the key from the database and processes the form. Consequently if the user POSTs twice, the second POST won't be processed because the nonce key was deleted after processing the first POST.
The nonce key has an added advantage in that it brings additional security by preventing replay attacks (a man in the middle sniffs your HTTP request and then replays it to the server which treats it as a legitimate).
You should always return a redirect as the HTTP response to a POST. This will prevent the POST from occuring again when the user navigates back and forth with the Forward/Back buttons in the browser.
If you are worried about users double-clicking your submit buttons, just have a small script disable them immediately on submit.
You might want to look at the Post-Redirect-Get (PRG) pattern:
This really isn't MVC specific, but the pattern we follow on our web pages is that actions are performed with AJAX calls, rather than full page POSTs. So navigating to a url never performs an action, just displays the form. The AJAX call won't be in the history
Along with the disabling of buttons, you can add a transparent div over the entire web page so that clicking does nothing. We do this at my work and add a little friendly label saying processing request..
The most elegant solution I found was to use ActionFilters:
Blog post is here

Preventing double HTTP POST

I have made a little app for signing up for an event. User input their data and click "sign me in".
Now sometimes people are double in the database, the exact same data that got inserted 2 times very quickly after each other. This can only mean someone clicked the button twice, which caused two posts to happen.
This is common web problem, as credit card apps and forum apps often say: "Clicking once is enough!".
I guess you could solve it by checking for the exact same data to see if the post is unique, but I wonder if there are other methods.
This ofcourse does not count for ASP.NET webforms, because POST doesn't matter as much.
While JavaScript solutions can disable the submit button after it has been clicked, this will have no effect on those people who have JavaScript disabled. You should always make things work correctly without JavaScript before adding it in, otherwise there's no point as users will still be able to bypass the checks by just disabling JavaScript.
If the page where the form appears is dynamically generated, you can add a hidden field which contains some sort of sequence number, a hash, or anything unique. Then you have some server-side validation that will check if a request with that unique value has already come in. When the user submits the form, the unique value is checked against a list of "used" values. If it exists in the list, it's a dupe request and can be discarded. If it doesn't exist, then add it to the list and process as normal. As long as you make sure the value is unique, this guarantees the same form cannot be submitted twice.
Of course, if the page the form is on is not dynamically generated, then you'll need to do it the hard way on the server-side to check that the same information has not already been submitted.
Most of the answers so far have been client-side. On the server-side, you can generate a hidden field with a GUID when you first produce the form, and then record that GUID as a submitted form when the post is received. Check it before doing any more processing.
Whenever a page is requested from the server , generate a unique requestToken , save it in server side,mark status as NOT Processed and pass it along with the current requested page. Now whenever a page submit happens , get the requestToken from the "POST"ed data and check the status and save the data or take alternate action.
Most of the banking applications use this technique to prevent double "POST"ing.So this is a time proven & reliable way of preventing double submissions.
A user-side solution is to disable the submission button via Javascript after the first click.
It has drawbacks, but I see it often used on e-commerce websites.
But, it won't never replace a real server-side validation.
Client side techniques are useful, but you may want to couple it with some server side techniques.
One way to do this is to include a unique token in the form (e.g. a GUID or similar), so that when you come to process the form you can check to see whether the token has already been used, preventing a double submission.
In your case, if you have a table with event visitors, you might include this token as a column.
A client-only solution won't be enough, as stated in many of the answers here. You need to go with a server-side fail-safe.
An often overlooked reason that disabling the submit button doesn't work is, the user can simply refresh the submit target (and click OK on the "are you sure you want to resubmit the POST data?" dialog). Or even, some browsers may implicitly reload the submitted page when you try to save the page to disk (for example, you're trying to save a hard-copy of an order confirmation).
Almost no one has js disabled.
Think about coding your e-commerce website for the 70 year old woman who double clicks every link and button.
All you want to do is add a javascript to prevent her clicking "Order Now" twice.
Yes - check this at the server side too "be defensive" - but don't code for that case. But for the sake of a better UI do it on the client side too.
Here are some scripts that I found:
//
// prevent double-click on submit
//
jQuery('input[type=submit]').click(function(){
if(jQuery.data(this, 'clicked')){
return false;
}
else{
jQuery.data(this, 'clicked', true);
return true;
}
});
and
// Find ALL <form> tags on your page
$('form').submit(function(){
// On submit disable its submit button
$('input[type=submit]', this).attr('disabled', 'disabled');
});
None of the solutions address a load-balance server.
If you have some load balancer, send a UUID (or any type of unique number) to the server to store and read again will not work well if the server is not aware of other servers, because each request could be processed by a different server in a stateless environment. These servers need to read/write to the same place.
If you have multiple servers you will need to have some shared cache (like a Redis) among the servers to read/write the unique value in the same place (what could be an over-engineering solution, but works).
Client side alteration is a common technique:
Disable submit button
Change the screen to a "please wait" screen
If the form was modal, changing the screen back to their usual process (this has the benefit of making things look really slick)
But it's not perfect. It all relies on JS being available and if that's not the case, without back-end duplication detection, you'll get duplicates still.
So my advice is to develop some sort of detection behind the scenes and then improve your form to stop people with JS being able to double-submit.
You can track the number of times the form's been submitted and compare it to the number of unique visits to the page with the form on it in the session.
Beside the many good techniques already mentioned, another simple server-side method, that has the drawback of requiring a session, is to have a session variable that is switched off on the first submit.

Resources