The Core J2EE Patterns book describes the synchronizer token pattern to
solve this problem. Basically, when you display a form, you put a
synchronizing token (some random string) as a hidden form value and you
also store this value in the user's session. The tokens should match the
first time the form is submitted. This is better than the java script
approach that only prevents duplicate form submissions from the same page
which occurs if the user double clicks on the submit button and the form
submission takes a little time.
-Richard
At 10:28 AM 9/20/01 +0200, you wrote:
>Hello,
>
>The back and forward buttons are the nightmares of
>web programmers anyway. Knowing that there is no
>real solution to deactivate them (read the many
>threads
>in the archives), I had to keep in the session object
>the page the client is reading currently and implement
>in the servlet how pages should follow each other.
>BUT :
>- sometimes browsers keep in their history memory
>the pages, so that the back and forward button don't
>even request the server (history mechanism is supposed
>to be different from cache).
>- resizing in netscape invokes the server (it seems
>so to me anyway).
>So that it's really difficult to implement
>transactions
>through web.
>The best solution I've found yet is to advise users
>agains using those back and forward buttons, or the
>right mouse click !
>Still looking for other secure ways.
>
>
>
>--- Tinou Bao <[EMAIL PROTECTED]> a �crit : >
> > Hi,
> >
> > Interested in how others have approached this
> > problem.
> >
> > After the user has login all pages are set to no
> > cache because we don't want
> > the pages to potentially be view by others if the
> > user does not close the
> > browser. This is fine except it causes duplicate
> > requests to be made when
> > the user uses the back/forward buttons on the
> > browser. This may cause, e.g.,
> > duplicate creates, deletes, updates. We're currently
> > using RequestDispatcher
> > to forward our request to a JSP resource. Our two
> > options are:
> >
> > * don't use forwards and use redirects
> >
> > * keep using forwards but use some tracking
> > mechanism to detect duplicate
> > requests
> >
> > Any other thoughts?
> >
> > Thanks.
> >
> > --
> > Tinou Bao
> > www.tinou.com
> >
> >
>___________________________________________________________________________
> > To unsubscribe, send email to [EMAIL PROTECTED]
> > and include in the body
> > of the message "signoff SERVLET-INTEREST".
> >
> > Archives:
> >
>http://archives.java.sun.com/archives/servlet-interest.html
> > Resources:
> >
>http://java.sun.com/products/servlet/external-resources.html
> > LISTSERV Help:
> > http://www.lsoft.com/manuals/user/user.html
> >
>
>=====
>Vincent BUI,
>[EMAIL PROTECTED]
>
>PS : la signature de propagande qui suit n'est pas de mon fait.
>
>___________________________________________________________
>Do You Yahoo!? -- Un e-mail gratuit @yahoo.fr !
>Yahoo! Courrier : http://fr.mail.yahoo.com
>
>___________________________________________________________________________
>To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
>of the message "signoff SERVLET-INTEREST".
>
>Archives: http://archives.java.sun.com/archives/servlet-interest.html
>Resources: http://java.sun.com/products/servlet/external-resources.html
>LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
