为什么PRG模式而不是其他?
[英]Why PRG pattern rather than others?
问题描述
I need to prevent duplicate form submissions for my customer's website. 
我需要阻止为客户的网站提交重复的表单。
- we need some form data from user for order confirm page. 我们需要用户的一些表单数据来进行订单确认页面。
- we use load balancing for web server. 我们对Web服务器使用负载均衡。
Approach 1 : Post/Redirect/Get 方法1:发布/重定向/获取
(PRG pattern : http://en.wikipedia.org/wiki/Post/Redirect/Get ) (PRG模式: http : //en.wikipedia.org/wiki/Post/Redirect/Get )
I was trying to use PRG pattern at first. 我最初尝试使用PRG模式。
in this case, I think I need to deal with session(or spring flashmap) across multiple web server. 在这种情况下,我认为我需要跨多个Web服务器处理会话(或spring flashmap)。
Approach 2 : Disable refresh on client. 方法2:在客户端禁用刷新。
one of my colleague suggested this approach. 我的一位同事提出了这种方法。
Approach 3 : Post/Post 方法3:邮寄/邮寄
another colleague suggested this approach. 另一位同事提出了这种方法。
I think approach 2, 3 is not a good choice. 我认为方法2,3不是一个好的选择。
but I do not know the specific cons or security risk about these approaches. 但我不知道这些方法的具体缺点或安全风险 。
I tried to google, but I failed to find answer. 我试图谷歌,但我没有找到答案。
Thank you in advance. 先感谢您。
[Edit] [编辑]
I would like to update the pros and cons. 我想更新优缺点。
Approach 1 : Post/Redirect/Get 方法1:发布/重定向/获取
pros 利弊
- Safe! 安全!
cons 缺点
- if you need some form data from user to show it on confirm page, you need to use
session,databaseor something.如果您需要来自用户的某些表单数据以在确认页面上显示它,您需要使用session,database或其他东西。 - if you use
session, and have more than one server, you have to do something to make session available across multiple servers.如果您使用session,并且有多个服务器,则必须执行某些操作以使会话可在多个服务器上使用。
Approach 2 : Disable refresh on client. 方法2:在客户端禁用刷新。
pros 利弊
cons 缺点
- Users will get upset if you limit the browser standard features, like refresh. 如果限制浏览器标准功能(如刷新),用户将会感到不安。
- need to consider F5, Ctrl+F5, ⌘ + F5 etc, various refresh icons. 需要考虑F5,Ctrl + F5,⌘+ F5等,各种刷新图标。
- In mobile, many web browser automatically refresh page when user reload browser. 在移动设备中,许多Web浏览器在用户重新加载浏览器时自动刷新页面
Approach 3 : Post/Post 方法3:邮寄/邮寄
pros 利弊
- You don't have to worry about session sharing issue across multiple servers. 您不必担心跨多个服务器的会话共享问题。
cons 缺点
- Second form submit can fail. 第二次表单提交可能会失败
1 个解决方案
解决方案1
3 2015-01-10 08:51:51
Approach 1 is a pretty straight forward method that solves some duplicate post issues. 方法1是一个非常简单的方法,可以解决一些重复的帖子问题。 It won't cope with server lag and which is a reason for duplicate submission. 它无法应对服务器延迟,这是重复提交的原因。
Approach 2 is nothing but wrong. 方法2只不过是错误的。 Users will get upset if you limit the browser standard features, like refresh. 如果限制浏览器标准功能(如刷新),用户将会感到不安。 That is, if you are even able to do so technically cross browser. 也就是说,如果你甚至能够通过技术上跨浏览器这样做。 You need to consider F5, Ctrl+F5, ⌘ + F5 etc, various refresh icons. 您需要考虑F5,Ctrl + F5,⌘+ F5等各种刷新图标。
I must admit that I don't fully understand the intent of Approach 3, however, it feels a bit wrong to bounce the user to an empty page. 我必须承认,我并不完全理解方法3的意图,但是,将用户反弹到空白页面感觉有点不对劲。
Another standard approach is to use a nounce with form posts. 另一种标准方法是使用带表单帖子的nounce。 This will also help you avoid a security risk called Cross Site Request Forgery . 这也可以帮助您避免称为跨站点请求伪造的安全风险。 It's pretty simple. 这很简单。
- Generate a "unique" random string on the server, called nonce. 在服务器上生成一个名为nonce的“唯一”随机字符串。
- Insert the nonce into the database. 将随机数插入数据库。
- Attach the nonce to the form as a hidden field (or pass by URL or similar). 将nonce作为隐藏字段附加到表单(或通过URL或类似方式传递)。
- Make sure the nonce is sent along in the form post to server. 确保将nonce以表单形式发送到服务器。
- At server side, validate the nonce, remove nonce, "save form data". 在服务器端,验证nonce,删除nonce,“保存表单数据”。
- Display confirmation page. 显示确认页面。
If you get another request with a non existing nonce, then you know it's either a duplicate post or some more evil CSRF attack. 如果你得到另一个非现有nonce的请求,那么你知道它是一个重复的帖子或一些更邪恶的CSRF攻击。
You can probably find some support library that does this for you. 您可以找到一些支持库来为您执行此操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.