[英]Why PRG pattern rather than others?
I need to prevent duplicate form submissions for my customer's website. 我需要阻止为客户的网站提交重复的表单。
(PRG pattern : http://en.wikipedia.org/wiki/Post/Redirect/Get ) (PRG模式: http : //en.wikipedia.org/wiki/Post/Redirect/Get )
I was trying to use PRG pattern at first. 我最初尝试使用PRG模式。
in this case, I think I need to deal with session(or spring flashmap) across multiple web server. 在这种情况下,我认为我需要跨多个Web服务器处理会话(或spring flashmap)。
one of my colleague suggested this approach. 我的一位同事提出了这种方法。
another colleague suggested this approach. 另一位同事提出了这种方法。
I think approach 2, 3 is not a good choice. 我认为方法2,3不是一个好的选择。
but I do not know the specific cons or security risk about these approaches. 但我不知道这些方法的具体缺点或安全风险 。
I tried to google, but I failed to find answer. 我试图谷歌,但我没有找到答案。
Thank you in advance. 先感谢您。
I would like to update the pros and cons. 我想更新优缺点。
session
, database
or something. session
, database
或其他东西。 session
, and have more than one server, you have to do something to make session available across multiple servers. session
,并且有多个服务器,则必须执行某些操作以使会话可在多个服务器上使用。 Approach 1 is a pretty straight forward method that solves some duplicate post issues. 方法1是一个非常简单的方法,可以解决一些重复的帖子问题。 It won't cope with server lag and which is a reason for duplicate submission.
它无法应对服务器延迟,这是重复提交的原因。
Approach 2 is nothing but wrong. 方法2只不过是错误的。 Users will get upset if you limit the browser standard features, like refresh.
如果限制浏览器标准功能(如刷新),用户将会感到不安。 That is, if you are even able to do so technically cross browser.
也就是说,如果你甚至能够通过技术上跨浏览器这样做。 You need to consider F5, Ctrl+F5, ⌘ + F5 etc, various refresh icons.
您需要考虑F5,Ctrl + F5,⌘+ F5等各种刷新图标。
I must admit that I don't fully understand the intent of Approach 3, however, it feels a bit wrong to bounce the user to an empty page. 我必须承认,我并不完全理解方法3的意图,但是,将用户反弹到空白页面感觉有点不对劲。
Another standard approach is to use a nounce with form posts. 另一种标准方法是使用带表单帖子的nounce。 This will also help you avoid a security risk called Cross Site Request Forgery .
这也可以帮助您避免称为跨站点请求伪造的安全风险。 It's pretty simple.
这很简单。
If you get another request with a non existing nonce, then you know it's either a duplicate post or some more evil CSRF attack. 如果你得到另一个非现有nonce的请求,那么你知道它是一个重复的帖子或一些更邪恶的CSRF攻击。
You can probably find some support library that does this for you. 您可以找到一些支持库来为您执行此操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.