堆栈内存溢出
  简体   繁体   English

如何在不使用JavaScript的情况下防止在ASP.NET MVC中双击?

[英]How do I prevent double-clicking in ASP.NET MVC without using JavaScript?

 原文  2011-10-18 20:01:00       asp.net-mvc/ double-click/ javascript

问题描述

Yes others have asked similar questions , however, the end solution was using JavaScript. 是的,其他人也提出了类似的问题 ,但是最终的解决方案是使用JavaScript。 I have that working, my question becomes what happens when the user has JavaScript turned off? 我已经工作了,我的问题变成了当用户关闭JavaScript时会发生什么? I would hope only advanced users would be turning off JavaScript and thus know to know click once on a button and can tell that the server is working. 我希望只有高级用户才能关闭JavaScript,从而知道单击一次按钮就可以知道服务器正在工作。 On the off chance they don't, how do I make sure that button is only clicked once? 如果没有,他们如何才能确保仅单击一次该按钮?

I should note that this is on a payment form. 我应该注意,这是在付款表格上。

4 个解决方案

解决方案1
 3 已采纳  2011-10-18 20:04:19

I'm afraid without JavaScript there is no way to prevent this. 恐怕没有JavaScript,就无法防止这种情况。 If the click results in a POST request, then you can try to make it idempotent on the server side. 如果单击导致POST请求,则可以尝试使其在服务器端成为幂等

解决方案2
 2  2011-10-18 20:04:33

You cannot make sure the button is only clicked once, as you have no control over user's browser. 您无法确保仅单击一次该按钮,因为您无法控制用户的浏览器。 What you can do, though, is to add a hidden field, a token to your forms so that if you see a token you've already seen, you'll be able to return an already-calculated answer. 不过,您可以做的是在表单中添加一个隐藏字段( 令牌) ,这样,如果您看到已经看到的令牌,就可以返回已经计算出的答案。

Update: In case of payment processing, it's not even a technique for preventing double submission—it's a technique protecting your clients from fraud. 更新:在付款处理的情况下,它甚至不是防止重复提交的技术,而是一种保护客户免受欺诈的技术。 Check out OWASP's A5: Cross-Site Request Forgery (CSRF) : 查看OWASP的A5:跨站请求伪造(CSRF)

Preventing CSRF requires the inclusion of a unpredictable token in the body or URL of each HTTP request. 防止CSRF要求在每个HTTP请求的正文或URL中包含不可预测的令牌。 Such tokens should at a minimum be unique per user session, but can also be unique per request. 此类令牌至少应在每个用户会话中唯一,但也可以在每个请求中唯一。

  1. The preferred option is to include the unique token in a hidden field. 首选选项是将唯一令牌包含在隐藏字段中。 This causes the value to be sent in the body of the HTTP request, avoiding its inclusion in the URL, which is subject to exposure. 这将导致该值在HTTP请求的正文中发送,避免将其包含在URL中,因为URL可能会暴露出来。

  2. The unique token can also be included in the URL itself, or a URL parameter. 唯一令牌也可以包含在URL本身或URL参数中。 However, such placement runs the risk that the URL will be exposed to an attacker, thus compromising the secret token. 但是,这样的放置存在使URL暴露给攻击者的风险,从而损害了秘密令牌。

Basically, each time you receive a payment form, you want to make sure it's a legitimate response to the form you've shown. 基本上,每次您收到付款表格时,都希望确保它是对所显示的表格的合法答复​​。 Handling double submission comes free with security—a rare case indeed! 安全地处理双重提交是免费的,这确实是罕见的情况! ;) ;)

解决方案3
 0  2013-04-19 03:39:28

For a simple and small ASP.NET MVC app, I find using the HttpRuntime.Cache is enough: 对于一个简单的小型ASP.NET MVC应用程序,我发现使用HttpRuntime.Cache就足够了: 

Function SomeAction() As ActionResult
    Dim cachekey = "uniquecode"
    If HttpRuntime.Cache(cachekey) IsNot Nothing Then
        ' wait until the other request is finished
        Do
            Threading.Thread.Sleep(1000)
        Loop Until HttpRuntime.Cache(cachekey) Is Nothing
    End If

    HttpRuntime.Cache.Add(
        cachekey, "", Nothing,
        DateTime.Now.AddMinutes(5),
        Cache.NoSlidingExpiration, CacheItemPriority.Low, Nothing)

    Try

        ' do stuff

    Finally
        HttpRuntime.Cache.Remove(cachekey)
    End Try
End Function

The cachekey must be the same for requests that you consider double, and must be different from all the other requests. 对于您认为是double的请求, cachekey必须相同,并且必须与所有其他请求都不同。 If you check that the cachekey is already in the cache, tell the thread that is processing the request to wait (or throw error). 如果您检查缓存密钥是否已在缓存中,请告诉正在处理请求的线程等待(或引发错误)。

解决方案4
 0  2011-10-18 20:06:47

what happens when the user has JavaScript turned off? 当用户关闭JavaScript时会发生什么?

The server is hit twice and there is not much you could do about it. 服务器被击中两次,因此您无能为力。

Now depending on what you are doing on the server there are different ways to react. 现在,根据您在服务器上执行的操作,有不同的反应方式。 For example in a RESTful application if you are using a POST verb which modifies some state on the server and is neither safe nor idempotent it is eventually the underlying data source that will detect the anomaly and simply throw an exception which will be gracefully reported to the user telling him that his request was already submitted. 例如,在RESTful应用程序中,如果使用的POST动词会修改服务器上的某些状态并且既不安全也不幂等,则最终底层数据源将检测异常并简单地引发异常,该异常将优雅地报告给服务器。用户告诉他他的请求已经提交。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在ASP.NET MVC中阻止JSON序列化? - How do I prevent JSON serialization in ASP.NET MVC? 在asp.net mvc中使用fileupload时,如何防止IE保存文件对话框 - How do I prevent IE save file dialog when using fileupload in asp.net mvc 如何在ASP.Net MVC中进行JavaScript重定向? - How do I do a JavaScript redirect in ASP.Net MVC? 如何将JavaScript添加到ASP.NET MVC视图? - How do I add JavaScript to an ASP.NET MVC View? 如何在不使用 Javascript 的情况下防止 .NET MVC 中的多个表单提交? - How do I prevent multiple form submission in .NET MVC without using Javascript? javascript如何使用axios和asp.net mvc在一个请求中发布文件和数据 - javascript how do I post file and data in one request using axios and asp.net mvc 如何使用ASP.Net MVC删除项目 - How do I delete item using ASP.Net MVC 如何防止使用通配符映射的IIS 6.0上的ASP.NET MVC部署尝试处理隐藏的共享连接? - How do I prevent an ASP.NET MVC deployment on IIS 6.0, using wildcard mapping, from attempting to handle hidden share connections? 如何防止ASP.NET MVC在视图中缓存无效数据? - How do I prevent ASP.NET MVC from caching invalid data in my View? 如何防止ajaxSubmit中的“ return false;”与ASP.NET MVC RedirectToAction冲突 - How do I prevent “return false;” in ajaxSubmit from conflicting with ASP.NET MVC RedirectToAction
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM