All geek questions in one place

Why a PRG template and not others?

I need to prevent duplicate forms for my client website.

  • we need the form data for the user to confirm the order.
  • we use load balancing for the web server.

Approach 1: Message / Forward / Receive

(PRG template: http://en.wikipedia.org/wiki/Post/Redirect/Get ) Post / Redirect / Get

At first I tried to use the PRG pattern.
in this case, I think I need to deal with a session (or spring flashmap) on multiple web servers.

Approach 2: Disable the update on the client.

Disable refresh on client

one of my colleagues suggested this approach.

Approach 3: message / message

Post / Post

another colleague suggested this approach.

I think approach 2, 3 is not a good choice.
but I do not know the specific disadvantages or security risks of these approaches.
I tried Google, but I did not find the answer.

Thanks in advance.

[change]

I would like to update the pros and cons.

Approach 1: Message / Forward / Receive

pros

  • Safe!

against

  • If you need data of a certain form from the user to show it on the confirmation page, you need to use session , database or something like that.
  • If you use session and have more than one server, you need to do something so that the session is available on several servers.

Approach 2: Disable the update on the client.

pros

against

  • Users will be upset if they restrict standard browser features, such as updating.
  • you need to consider F5, Ctrl + F5, ⌘ + F5, etc., various update icons.
  • On a mobile device, many web browsers automatically refresh the page when the browser restarts.

Approach 3: Post / Post

pros

  • You do not need to worry about the problem of sharing a session on multiple servers.

against

  • Entering the second form may fail.
+5
source share
1 answer

Approach 1 is a fairly simple method that solves some recurring message problems. It will not cope with server latency and is the reason for duplication of feed.

Approach 2 is nothing but the wrong. Users will be upset if they restrict standard browser features, such as updating. That is, if you can even make a technically cross browser. You need to consider F5, Ctrl + F5, ⌘ + F5, etc., Various refresh icons.

I have to admit that I do not fully understand the purpose of approach 3, however, it is a bit erroneous to drop the user onto a blank page.

Another standard approach is to use nounce with form posts. It will also help avoid a security risk called the Cross Site Search Request Subroutine . It is pretty simple.

  • Create a "unique" random string on the server called nonce.
  • Insert nonce into the database.
  • Attach nonce to the form as a hidden field (or go to a URL or similar).
  • Verify that the nonce message is sent in the form message to the server.
  • On the server side, confirm the nonce value, delete the nonce, "save the form data".
  • Display confirmation page.

If you get another request with a non-existent nonce, then you know this is either a duplicate message or an even more evil CSRF attack.

You can find some support library that will do this for you.

+3
source

Source: https://habr.com/ru/post/1210786/

More articles:


All Articles