-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jerry,
On 6/17/15 11:55 AM, Jerry Malcolm wrote: > OT: I have a simple 'contact-us' webapp that has been running for > years. I'm not having any problems with it directly. However, > periodically, I get resubmissions of the form from the client's > computer, sometimes randomly once a day for several days/weeks, > and sometimes once or twice two weeks after the original form was > submitted. The obvious answer to this would be that the client > just keeps hitting the back button and resubmitting the form. But > I know that is not the case. I have a little javascript snippit > that sets the current date in a hidden field when the user hits the > submit button (spam robots don't recognize this, so > spam-robot-submissions will not have a valid date in the hidden > field). When these random form resubmissions come in they have > the original date/time in that hidden field from when they actually > requested and submitted the form. > > So what I know at this point: > > 1) This is rare. But when it starts with a particular form, I'll > get resubmissions anywhere from once ever few hours to once every > couple of weeks. > > 2) It finally stops. But one specific form kept coming in once a > day (random time each day) for over 2 months (still with original > date/time from two months earlier in that hidden field) > > 3) I checked the apache httpd logs, and the resubmissions are > coming from the original user's IP address. They are definitely > coming in as a new request each time to apache/tomcat (as opposed > to my webapp code somehow reprocessing the original request) > > 4) The user is NOT hitting the submit button over and over as > proven by the time/date in the hidden field. > > I have written defensive code in my webapp to detect this situation > and handle it. So it's not a critical problem now. But it just > frustrates me that I have no clue what is going on. And I'm > curious if the users are seeing something strange as this is > occurring. It appears that the client's browser is holding onto > the form and just randomly resending it the server without the > user's knowledge. And it finally stops when they close their > browser or reboot their computer. I know this makes zero sense. > > So.... I know this is not precisely tomcat related. But I know > this forum has followers with a vast range of knowledge in many > areas. I'm just curious if this rings any bells, or if anyone can > explain what is going on here. Anybody know what would cause a > browser to keep randomly resending a form request to the server? Could this be happening when someone submits the form and then leaves the page open forever in a forgotten tab in their web browser? Perhaps even after a restart, the tab is resurrected, and the browser re-submits the POST that originally generated the page? If you aren't already doing this, I would recommend adopting a redirect-after-POST strategy so that even RELOADING the page after the form doesn't re-POST the initial form. Another thing you can do is generate a token on the server and stick it in the page. When you accept the form, check to see if the token is valid. If not, bomb to a "sorry" page, otherwise, process it as usual. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVgd7ZAAoJEBzwKT+lPKRYxZ0P/A/TC6mHiaSihVKrjQGM0QDo vEMzAUiTZNoEMq94gKtTj4K/iN9kqsj44nltMNHZAnntq6xPXzgtpwI45jRv7x0R /XeouZqYhzdVzKAhZKFtkwgyWugISRl44NeRGvQ3jL6RHmmXVpCPgzX7wplrO2p6 H0F2iald73s/KnBWivVxZ9yXRhN8VH5kn7qAjtN7ttNZGYcBNOph0CDatT8G15tj N9hUXIjsPvKAtFsnFHnL8B9twdmxGKmUTufEJKhBD++KHyE504fOUhJ+mttxJypt UdK67sO4mxzPpkloVSTOYgCjTilxoSTNRwNsf8KXqV9sv9Hz7Rz0Ky1dUNKbZV+A iobzlCgq88CZjJvfnP19j4Hn0PEARqshge/kFY3BExVP57S/+3Y2R683mN89q4vc F3uIZWMmD0cOsRIgF4e6guQHLecgIYZ04iQO2fwhUl6cEByYjxAGKbam/4I/OJ3D qvRh4m+QNQ0BajhNZhfnz6wydNAoFChX3jXCdiB+tOPqTEyxni9f1wdAhMpCn8lJ jylvygmSq0sn9kjY04KeTXE5/UwJhYFA/7m7+1ATnmDNMvysmL3eYfsf1qORJfVK f7U5wDg48nqqHyBmkvyR6OUpviWXxTKTXd6AIxtjaYScZpZFIf0TmWvWMHmtiIKi mshk3sucuf7JI/mk8HCU =BdrV -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
