0

I am implementing the Post-Redirect-Get solution to prevent duplicate form submission when refreshing the page on the browser. My application is a pure Servlet web application.

I have already set it up, but I want to prevent users to access my form success page if there isn't a previous form submission request associated, how would you do that?

I thought about some encoded parameter with a salt but maybe there's a simpler approach?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
M Rajoy
  • 4,028
  • 14
  • 54
  • 111
  • 2
    Usually, you don't redirect to a success page. You instead redirect to the page displaying the resource you just created, or to the page showing the list of resources that you've just modified. And those pages are accessible without form submission. Regarding the parameters, yes, they must be in the redirect URL. – JB Nizet Dec 14 '15 at 12:12
  • The form I am implementing is a registration form, so there's no "resource just created" from the P.O.V. of the user, I just need to redirect to a "you have been registered" page with a "activate your account" link – M Rajoy Dec 14 '15 at 12:15
  • I don't see any problem with this activation page beeing called standalone (even it is not intended to be), the link you have in it should include some kind of security token + you need to implement a security check on the sever side. – A4L Dec 14 '15 at 12:20
  • well that's exactly what I am asking I guess, how to make that security token – M Rajoy Dec 14 '15 at 12:21
  • 1
    The resource you just created is the user registration. It should be stored in the database, and thus have an ID, a random token sent by email for confirmation, and an expiration date. – JB Nizet Dec 14 '15 at 12:37
  • No, I must have misunderstood. How to make the validation token is a different problem. I thought A4L was talking about me needing some kind of token to validate that the user comes from the registration form when accessing my success page. It seems like the proper thing to do to prevent accessing this page from any other point. – M Rajoy Dec 14 '15 at 12:42
  • You have to save it in the same place where you save you user info and this is the *resource* created -> a user login / account. The user may just want to do the activation at a later time, you your application needs to be able to handle this too. On the other side account activation is implemented using an email which contains the link for activation. If the user uses the email he provided while registering and coult login to that email account then he is eligible to activate that account. – A4L Dec 14 '15 at 13:14

1 Answers1

0

You can use the HttpSession to pass parameters.

see: Pass Hidden parameters using response.sendRedirect()

To block requests you could use a filter which blocks attempts to call the form success page directly.

There is an example of using a filter along these lines here: Example Servlet Filter that catches and blocks IP's that request suspicious URL's

Community
  • 1
  • 1
mmulholl
  • 281
  • 2
  • 7