Prevent form resubmit after pressing back button - java

I am in bit of a delicate situation here. In my organization we design stock management systems and it is a web application based on JSP pages and servlets which handles them.
I have been asked to fix a specific problem. We have a JSP page with an HTML form table where there are stock details. When user enters the details manually and submit the form, stock details updated in the database and it works fine.
Problem is this : When the user press the browser's back button, user can come to the previous page where he submitted the details. And when the user submit this, data is saved once more to the database.I need to prevent this behaviour.(Something likeclear and reload the page.)
Things I did so far : clear the browser cache.Code works fine but not the expected result.
Unfortunately I cannot share the code due to company regulations. What I need is a help to prevent this behaviour or a workaround.
Thanks in advance..

You can use a javascript function with the help of a hidden attribute to reload the web page. When the user press the back button,based on the value of the hidden attribute, page will be reloaded without loading the cached page.
Your approach of clearing cache is correct. Coupled with that, you can use this approach.
<input type="hidden" id="refreshed" value="no">
<script type="text/javascript">
onload=function(){
var e=document.getElementById("refreshed");
if(e.value=="no")e.value="yes";
else{e.value="no";location.reload();}
}
</script>
One drawback of this approach is if your clients' browsers have disabled JS, this will not work.Otherwise it should work.

When the user press the browser's back button, user can come to the
previous page where he submitted the details. And when the user submit
this, data is saved once more to the database.
According to how you described it, that is based on a doGet request. Which means every time you visit that URL, it will send the request with whatever parameters were added.
As someone already mentioned, if you switch the form to a post method and switch the Servlet to a doPost, you won't have this issue anymore.
Alternatively you can circumvent this with a javascript solution. Here are some options:
You can check if the user clicked the back button, disable form if true.
Another way is by storing a cookie which you check on page load, if it exists you can disable the form.

You can use this code also
$(document).ready(function() {
function disableBack() { window.history.forward() }
window.onload = disableBack();
window.onpageshow = function(evt) { if (evt.persisted) disableBack() }
});

You must use a Post-Redirect-Get pattern: https://en.m.wikipedia.org/wiki/Post/Redirect/Get.
Actually, every use of standard HTML forms with method="post" should be implemented with that pattern. It doesn't have any use for AJAX-posted forms, which actually could be another solution but will require more work and probably some architectural changes.

I had this same problem while building a django web app, and my solution was to not allow caching of the html that contains the form. In your request handler, do not allow the browser to cache the page. This will force the browser to get the page fresh from the document.
Which, in this case, you can just verify in your request handler if the requested form has already been submitted.
My code for reference:
from django.views.decorators.cache import never_cache
#never_cache
def GetForm(request, pk):
# Logic #
if (IsFormCompleted(pk)):
# Handle request #

Here is a solution.
give a random id in a hidden field on the form. Then on the server side, if the user resubmit, check if the random id already on the database. If so, redirect user.

Related

How do I handle Http request race conditions in a Front Controller web application?

I have a web application, which is an implementation of the Front Controller Pattern, as described by the image below. Specifically, I have followed the code example of the Front Controller Pattern, as described in this question's answer:
Design Patterns web based applications
I'm having updating issues with one of my .jsp pages. This page in particular has a popup-editor, which allows the user to add or remove links to sets of data from an external database. If the user hits a save-button, it sends a request, which is intercepted by the Front Controller. Then, the correct action for saving or deleting a reference link (many to many ID numbers) is executed on the systems own database. After, the page should be reloaded, which triggers a chained command, which loads data from both databases, before redirecting to essentially the same page, without the popup.
However, the page is not reloaded, due to some form of caching that I do not understand. I've tried every solution I could find, to prevent loading cached data, from adding a unique value to the URL, to adding meta-tags on the jsp-page, to prevent it from caching at all. I've confirmed that the data is loading on server side. A simple F5-click updates the page like it should be doing automatically.
I've also implemented an onClose-function on the popup, that calls a window.location.reload(). However this call interrupts the Front Controller, and it stops everything it is currently doing, to handle the newest request. This creates a race condition, where the data is sometimes able to be inserted/deleted, and sometimes not, before the Front Controller starts reloading the page.
Should I make a queue?
Is there a good reason not to do it this way?
Should the Front controller's execution method, or the class itself implement some kind of Synchronization?
Your popup-editor should be placed inside an iframe so that it will not reload the window when it submits. The response that returns from request sent by the iframe should trigger the window.location.reload(). For example:
<html>
<script type='text/javascript'>
window.onload = function() {
window.location.reload();
};
</script>
</html>
Another option is to send the update with an Ajax call and then reload the page when the Ajax call returns. Or nicer, update the page dynamically without a reload but with JSON data returned by the Ajax call.

Avoid duplicate submission of Struts 2 jsp page

Hi all I've got some jsp pages and im using struts2 to handle my forms.
After submitting a form by user, the url shown in address bar becomes somthing.action, so when the user refreshes the page, the forms gets submitted again. How can I handle this? after submission of a form.
If the goal is to prevent duplicate submission of forms then use token interceptor http://struts.apache.org/2.x/docs/token-interceptor.html or tokenSession interceptor http://struts.apache.org/2.x/docs/token-session-interceptor.html.
If you simple want to refresh the page after submit without submitting again then redirect to action where you only show results not form. Use redirectAction result for that.
+1 to both the other answers.
Post/Redirect/Get is the classic Pattern for every web technology.
Token Interceptor is another way to go, when you are using Struts2;
There is a third way to go, if you don't care about retro-compatibility with old browsers, or browsers with Javascript disabled: HTML5's window.history.pushState.
Just reset the url to the original one after the page is loaded, and pressing F5 will get the original page, instead of re-submitting the request.
$(document).ready(function() {
window.history.pushState("","", "myOriginalUrlWithNoParams");
});
POST REDIRECT GET
This pattern needs to be followed to prevent re-submission of form on refresh. This means, after submitting a POST request, POST should send a REDIRECT response to fetch the destination page using GET. With this pattern, if the user refreshes the page, only the GET request happens again, so the same page is fetched without updating anything in server.
This is a common design pattern recommended for web. Google would provide a lot of resources about this.

How to change url in user browser without client redirect in servlet

I want to forward from one page to another but with the same I want url to be changed. Suppose user is here http://mywebsite/register and when he completes his registration process then I want this in his address bar http://mywebsite/home
Is it possible without using sendRedirect , I mean by the way server side forwarding only? or any other way around to this problem?
You could just let the HTML form submit to that URL directly.
<form action="http://mywebsite/home">
But this makes no sense. You'll also run into problems when redisplaying the same form with validation messages in case of validation failure. You'd need to redirect back to the original page if you intend to keep the original URL and you'd need to fiddle with storing messages in the session scope instead of the request scope because a redirect basically creates a brand new request. You'll without a redirect also run in "double submit" problem whenever the enduser presses F5 after submitting the form.
Just let the servlet redirect the successful POST request to the desired URL. That's the canonical approach. Even more, this is a recommend "design pattern": the POST-Redirect-GET pattern.
AFAIK there's no way around a redirect since the browser has to update the url at some point. And if you'd update the url after the forwarded to page has been loaded it would issue a refresh and the page would be loaded again (which might result in an endless loop).
Why don't you want to use a redirect in that case?

prevent duplicate submission of forms on jsp pages

Hi all
I've got some jsp pages and im using struts to handle my forms.
After submitting a form by user, the url shown in address bar becomes somthing.action, so when the user refreshes the page, the forms gets submitted again.
How can I handle this?
after submission of a form, Is there any possible way to show a ".jsp" url instead of a ".action" in the address bar?
Yes, use redirect-after-post. Either response.sendRedirect("foo.jsp"), or see here or here (depending on what exactly your code is).
If you are using Struts 2, it has a Token interceptor, to prevent duplicate form submissions -
http://struts.apache.org/2.1.2/struts2-core/apidocs/org/apache/struts2/interceptor/TokenInterceptor.html
And an example: https://cwiki.apache.org/WW/token-interceptor.html
If you redirect user to some page (it can by same as form) after you make action, it will not send post data if page will by refreshed.

Java seeking referer

I am using Struts and Java. The problem is that I have a page with some results. The user can click an item and edit it. I want after editing the user to be able to return back to the results. Back isn't broken but if he submits the form for update he would have to click back 2 times I think and may have problem.
I have tried header("Referer") but this doesn't work in Internet Explorer.
I am trying to implement a solution. Any ideas? My idea is to save url and move around an ID of that url. And when I want to return back get the url from ID. Storing it in the session is not a solution because the user may have opened multiple windows.
Passing a URL as a request parameter may create security issues. Powerlord is right that the USER can alter the referrer header. This will allow the user to visit a page, something they can do anyway. More seriously, following a URL that is in a request parameter allows an attacker to send the user to a page of the attacker's choice, with the appearance that this page is recommended by your application. So the answer from BalusC can enable Cross-Site Request Forgery.
The best way is to pass it around as a request parameter. On the edit link or button, just pass the current URL along as request parameter. Here's an example with a link:
edit
Or if it's a button to submit a form, then rather pass it as hidden input value in the same form:
<input type="hidden" name="from" value="${pageContext.request.requestURI}">
In the page with the edit form, transfer it to the subsequent request as hidden input value of the form:
<input type="hidden" name="from" value="${param.from}">
In the action method, just redirect to that URL after finishing the action. Since I don't do Struts, I can't give a detailed Struts example, but here is how you would do it with "plain vanilla" Servlet, you must be able to port it to a Struts approach:
response.sendRedirect(request.getParameter("from"));

Categories