(1)包含有Form表单得页面必须通过一个服务器程序动态生成,服务器程序为每次产生得页面中的form表单都分配一个唯一得随机标识号,并在form表单得一个隐藏域 保存
(2)当用户提交form得时候,负责接受这一请求得服务器程序比较form表单隐藏字段中的标识号与存贮在session中的是否相同,当下列情情况时候,服务器程序将忽略提交请求:
a.当前用户session不存在表单标识
b.用户提交得表单数据并没有标识号字段
c.存贮在当前用户的session中得标识号与表单数据中的不同
import
java.security.MessageDigest;
import
java.security.NoSuchAlgorithmException;
import
javax.servlet.http.HttpServletRequest;
import
javax.servlet.http.HttpSession;
public
class
TokenProcessor
{
private long privious;//上次生成表单标识号得时间值 private static TokenProcessor instance=new TokenProcessor(); public static String FORM_TOKEN_KEY="FORM_TOKEN_KEY";
private TokenProcessor(){ 
} public static TokenProcessor getInstance(){ return instance; } /* * 验证请求中得标识号是否有效,如果请求中的表单标识与当前用户session中的相同,返回结果true= */ public synchronized boolean isTokenValid(HttpServletRequest request){ //未避免session对象不存在时候创建Session对象 HttpSession session=request.getSession(false); if(session==null){return false;} String saved=(String)session.getAttribute(FORM_TOKEN_KEY); if(saved==null){ return false; } String token=(String)request.getParameter(FORM_TOKEN_KEY); if(token==null){ return false; } return saved.equals(token); } /* * 清楚存储在当前用户session中的表单标识号 */ public synchronized void reset(HttpServletRequest request){ HttpSession session=request.getSession(false); if(session==null){ return; } session.removeAttribute(FORM_TOKEN_KEY); } /* * 产生表单标识号并将之保存在当前用户得session中 */ public synchronized void saveToken(HttpServletRequest request){ HttpSession session=request.getSession(); try { byte id[]=session.getId().getBytes(); long current=System.currentTimeMillis(); if(current==privious){ current++; } privious=current; byte now[]=String.valueOf(current).getBytes(); MessageDigest md=MessageDigest.getInstance("MD5"); md.update(id); md.update(now); String token=toHex(md.digest()); session.setAttribute(FORM_TOKEN_KEY, token); } catch (NoSuchAlgorithmException e) { } } /* * 将一个字节数转换成十六进制得字符串 * */ public String toHex(byte buffer[]){ StringBuffer sb=new StringBuffer(buffer.length*2); for (int i = 0; i < buffer.length; i++) { sb.append(Character.forDigit((buffer[i]&0x60)>>4, 16)); sb.append(Character.forDigit(buffer[i]&0x0f, 16)); } return sb.toString(); }
}
import
java.io.IOException;
import
java.io.PrintWriter;
import
javax.servlet.ServletException;
import
javax.servlet.http.HttpServlet;
import
javax.servlet.http.HttpServletRequest;
import
javax.servlet.http.HttpServletResponse;
public
class
FormDoubleServlet
extends
HttpServlet
{ protected void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html;charset=gb2312"); PrintWriter out=response.getWriter(); TokenProcessor tokemProcessor=TokenProcessor.getInstance(); if(!tokemProcessor.isTokenValid(request)){ out.println("重复提交"); } String p1=request.getParameter("p"); if(p1==null||p1.trim().equals("")){ out.println("请输入内容"); }else{ out.println("提交内容被处理"); tokemProcessor.reset(request);//清楚session中的标识 } } }
<%
@ page contentType="text/html; charset=GBK"
%>
<%
TokenProcessor tokemProcessor=TokenProcessor.getInstance();
tokemProcessor.saveToken(request);
String token=(String)request.getSession().getAttribute(tokemProcessor.FORM_TOKEN_KEY);
%>
<
html
>
<
head
>
<
title
>
用户登陆
</
title
>
</
head
>
<
body
>
<
form
action
="/testServlet"
method
="post"
>
<
input
name
="<%=tokemProcessor.FORM_TOKEN_KEY %>"
value
="<%=token %>"
>
<
input
name
="q"
/>
<
input
type
="submit"
value
="submit"
/>
</
form
>
</
body
>
</
html
>
String token=(String)request.getSession().getAttribute(tokemProcessor.FORM_TOKEN_KEY);
%>
<
html
>
<
head
>
<
title
>
用户登陆
</
title
>
</
head
>
<
body
>
<
form
action
="/testServlet"
method
="post"
>
<
input
name
="<%=tokemProcessor.FORM_TOKEN_KEY %>"
value
="<%=token %>"
>
<
input
name
="q"
/>
<
input
type
="submit"
value
="submit"
/>
</
form
>
</
body
>
</
html
>