When I submit a form to the browser,the form is submitted twice.The access log shows there are two requests arise at the same time.Two different threads executing it.
The thing is,the first request contains the attribute values that the user entered while the second request call contains only null values in request object.
Not all the times this issue occur.It happens only sometimes and not reproducible at all.Both in IE8 and IE9,I got these issues.
Do anyone know why does it happen?
Maybe the problem is that you are using submit button and document.forms[0].submit within the javascript onclick event handler .
Thus action is called twice:
First time by
document.forms[0].submit
Second time by
submit button action
Do you use struts1 or struts2? Anyway, they both have a mechanism to avoid repeat submit: token.
For struts1, you need call saveToken() in the first action (the action for form page), and 'html:form' tag of struts will automatically add this token to your page; in your submit action (the action which dealing form), invoke isTokenValid(request, true), and this will validate the token from your page & your session.
For struts2, add the interceptor ref token for your submit action, and add 's:token' tag in your form page.
The above solutions restrict repeat submitting in server side, that the second request will cause a exception and handled as invalid request. But if you wanna restrict this in UI side, you need some javascript, like: when you click the submit button, disable it to avoid repeat submitting.
Related
Today i've added crsf protection in my webapplication.
When a html for is printed i generated random token and put it in a hidden field and in user session.
When form is submitted i read hidden form field and compare it with token in user session.
If tokens match form submission may continue. If it fails a error is displayed.
To implement this i used a implementation found on the web. This implementation did not remove the token from the session once the form was submitted. I decided to remove the token from the session once the form was submitted, because it was no longer needed.
The thing i bump in to now is when i submit a form and then i press the back button of my browser and submit the form again the error appears (because token was removed from user session, but browser still holds the old form in the browser cache and displays it with the old token).
To prevent this from happening i thought of removing the token from the user session after 15 minutes. This way he should be able to go back and resubmit form. I was wondering if this is a valid and secure solution for the problem?
Beside preventing CSRF, the token helps you preventing double form submits too. I doubt your application is happy when a user submits the same form twice. So it's fine to remove the token on first submit and on second submit display a message saying: "The form submit is invalid or was already processed ..."
Is it possible to call Bean from Jquery? My requirement is like below,
I have a JSF 1.2 based Servlet.
Am invalidating a user's session if he is idle for some time. Am showing Jquery dialog box 1 minute before invalidating the session. A user has 2 options in the dialog box. "Yes I want to continue" will extend the session. "No I want to logout" will logout the user.
When user clicks on "No I want to logout", I want to call bean method where I update the Database & invalidate the session.
Below is the code,
'No, Log out': function(){
$j.idleTimeout.options.onTimeout.call($j.post('//This is where am stuck',function()
I want to call bean in $j.post so that I can do some clean up activities in my bean.
How this can be done?
Regards,
You can either use just use a hidden(style="display:none") commandButton with an action pointing to a method in your bean , and call a .click() on it from jquery
something like this
<h:commandButton id="myButton" action="#{myBean.myInvalidateMethod}" style="display:none"/>
jquery
&("#myButton").click();//possible myForm prefix appear before the id so use #myForm\\:myButton selector
Or you can call servlet from your jsf page , similar to this answer Calling a Servlet from a JSP page using jQuery Ajax
You can't directly access the methods, you'll have to make your servlet handle your request and call the method for you and return the data in json format for example
This question is in continuation of Forwarding the request from one jsp to another jsp with all request parameters?. For the convenience of user, will explain the scenario and new query on that .
i have this scenario. User enter some stuff on jsp form in browser and submit. In servlet i process the request and show the jsp page1 to client which has just continue button. Now on click of continue, i want to forward this request to another jsp page2 with all request parameter present on page1. basically i want to get all request parameters which were present in first request on page 2 also. As per replies i can go for hidden variable which i agree. Now a question this.
EDIT
if i have customer info object in request, how will submit it as hidden field. I will get customer object as string in second jsp. Right? Is there a way i can get it as customer object in request instead of string object?
Store it in Session scope and retrieve where ever u want to get it back, on the first call of servlet , just put it in session and later on third jsp just get it from the session
I have my java project web application. I am usning struts 2. Across the application , i make the action URL and submit it then response jsp is shown as
result but URL does not get changed in address bar(which is expected). But one jsp when i submit the action to create the employee , i see the create
customer action URL in address bar which i don't expect. I am using post method. I debugged the issue but found nothing special in request/response
object for this http request?
Seeing the address of the action you posted to in the browser address bar is expected behavior.
What you should do is use the Post-Redirect-Get pattern, so that the user can successfully refresh the page or navigate through historywithout any problem. This will also have the side-effect of displaying the URL of the action you redirect to after the creation, rather than the URL of the creation action itself.
My title maybe confusing so please read on. I'm using the following technologies if you may. Spring, Hibernate, JSF (RichFaces), MySQL, Internet Explorer.
I have a List of items which is displayed in a RichFaces datatable like so:
item a
item b
item c
item d
item e
On the same page I have the following buttons: search, edit, add, delete and new.
When an user enters a search string, e.g. "item c", and press search button, then it displays a list of matching items, e.g:
item c
When the user presses the new button, the request will be redirected to another page using:
FacesContext facesContext = FacesContext.getCurrentInstance();
facesContext.getExternalContext().redirect(page + ".jsf" );
When the browser back button of IE is been pressed on that page, the page displays "web page expired". What is this and how can I avoid this?
web page expired
You will get this error when you're trying to obtain a non-cached POST request from the browser history. This behaviour is fully expected. To fix this "problem", you need to either turn the cache on or to replace POST by GET.
Enabling the browser cache is actually easy: just remove the Cache-Control: no-cache and related headers from the HTTP response of the POST request in question. The enduser will then only get a warning dialog that the POST data will be resent to the server, which in case of fully non-idempotent requests like placing an order or deleting an item is really not desirable. Replacing POST by GET is then a better solution. Getting searchresults (like as Google does) should really be done by GET.
Replacing POST by GET isn't easy in JSF prior to version 2.0. Best what you can do is to fire a redirect after the POST and pass the data of interest as request parameter which you retain from #{param} as managed property (more recommended) or store the data of interest in session scope (not recommended). A completely different alternative is to replace the JSF <h:form> by a simple HTML <form action="searchresults.jsf"> and do the search job in a #PostConstruct method in the backing bean associated with searchresults.jsf, after the submitted query has been gathered as managed property or from request parameter map.