do you have a good patch then? And are you saying that all double submits are then not possible anymore?
Also when i submit then think hmm thats wrong back button change something and submit again? On Tue, Mar 25, 2008 at 3:25 PM, laz <[EMAIL PROTECTED]> wrote: > > Does anyone else feel that this would be generically useful to have as a > part > of Wicket? Not only does it prevent double submits, but it also is a > simple > safeguard against cross-site request forgery (see > http://en.wikipedia.org/wiki/Cross-site_request_forgery for a summary). > > The one missing piece from your solution is synchronization. There is the > slightest possibility that the second submit of a double submit could > enter > onSubmit before the token is reset. I am not yet sure what would be the > best > object to synchronize on, possibly the session id? > > > > hillj2 wrote: > > > > Here's a solution that SEEMS to be working. It incorporates our > solution > > to the double submit problem that we used on our JSP's. It didn't > appear > > to be working for me at first, but seems to be now. (It does use the > old > > servlet request/session objects, but this may change once all our old > code > > is upgraded to wicket.) > > > > ... > > > > Like I said, for now this appears to be working. I just extend all my > > forms from this class and implement onSubmitted() with the same code I > > previously put in onSubmit(). The key is putting matching unique > strings > > in session and in the page instance. On submit, those string should > > match, at which point, the string in session is cleared and the form is > > processed as normal. If another submit comes in, the string in session > > has been cleared so it doesn't match the string svaed in the page > > instance. In the case where setResponsePage is not called, > onBeforeRender > > resets the token string, so submitting from the refreshed page won't > > register as an error. > > > > Our JSP version of this involves putting the token string in session and > > also saving a copy to a hidden field on the JSP page. Which I think is > > similar (although maybe a bit more complex) to what Martijn was > > suggesting. > > > > Thanks for all you suggestions. > > > > Joel > > > > -- > View this message in context: > http://www.nabble.com/Double-submit-problem-tp15957979p16275106.html > Sent from the Wicket - User mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
