表单上的令牌方法，双重提交问题 [英] Token Method on Forms, Double Submit Issue

问题描述

我花了数周的时间来对表单进行双重提交保护.整理，存储令牌的会话方法不起作用.

I've spent weeks working on double-submit protection on my forms. Straightup, the session method of storing tokens doesn't work.

会话可以很好地刷新页面或使人回顾其历史记录...但是使用会话无法阻止多次单击按钮的经典双重提交.

Sessions work fine for a refresh of the page or someone going back through their history... but the classic double submit by clicking the button numerous times cannot be prevented using sessions.

我认为脚本在处理彼此之间数毫秒内的多次单击时无法足够快速地检查/写入/删除会话，以捕获错误.

I'm thinking the script cannot check/write/delete sessions fast enough to catch the error when multiple clicks are being processed within milliseconds of each other.

是否有另一种服务器端方法可以防止此问题发生?

Is there another server side method to preventing this problem?

推荐答案

似乎您需要一个能够避免竞争条件的独立令牌存储.为了使它起作用，有几种解决方案可用，一种更易于实现的解决方案是:

It seems you need an independant token store capable of avoiding race conditions. To get this to work several solutions are available, one of the easier to implement would be:

• 将令牌与(tokencode，claimid)字段一起存储在数据库中.
• 在接收到时，将claimid设置为microtime()，甚至可能将其设置为process-id或hash，只要可以确保彼此之间在一瞬间就开始的类似过程中是唯一的即可.
• 尝试领取令牌:UPDATE tokens SET claimid = <id> WHERE tokencode=tokencode AND claimid IS NULL
• 计算上一条语句(或执行选择)更改的行.
• 如果一行已更改和/或具有您的microtime()声明编号:您是获胜者，请继续执行操作
• 如果什么都没有改变或令牌具有错误的Claimid，将不采取行动.

• Store the token in a database, with (tokencode,claimid) fields.
• On receiving, set a claimid to microtime(), possibly even a process-id, or hash, as long as it's very much assured to be unique in similar processes started within moment from each other.
• Try to claim the token: UPDATE tokens SET claimid = <id> WHERE tokencode=tokencode AND claimid IS NULL
• Count rows changed of previous statement (or do a select).
• If a row has changed and/or has your microtime()'d claimid: you are the winner, continue with the action
• If nothing has changed or the token has the wrong claimid the action will not be taken.

这篇关于表单上的令牌方法，双重提交问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！