lostecho/build-web-application-with-golang
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge commit '35414e9d8b2b5b08986902e32a5a71974a3c4a89' into ja

Browse Source
This commit is contained in:
Shin Kojima
2014-09-21 23:09:46 +09:00
parent d4f497ae7a 35414e9d8b
commit 25e63a8ecc
1 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
en/eBook/04.4.md
View File

@@ -1,10 +1,10 @@
# 4.4 Duplicate submissions
I don't know if you have ever seen some blogs or BBS have more then one posts are exactly same, but I can tell you it's because users did duplicate submissions of post form at that time. There are batch of reasons can cause duplicate submissions, sometimes users just double click the submit button, or they want to modify some content after post and press back button, or it's by purpose of malicious users in some vote websites. It's easy to see how the duplicate submissions lead to many problems, so we have to use effective means to prevent it.
I don't know if you've ever seen some blogs or BBS' that have more than one posts that are exactly the same, but I can tell you that it's because users submitted duplicate post forms. There many things that can cause duplicate submissions; sometimes users just double click the submit button, or they want to modify some content after posting and press the back button. Other times it's the intentional actions of malicious users. It's easy to see how duplicate submissions can lead to many problems. Thus, we have to use effective means to prevent it.
The solution is that add a hidden field with unique token to your form, and check this token every time before processing data. Also, if you are using Ajax to submit form, use JavaScript to disable submit button once submitted.
The solution is to add a hidden field with a unique token to your form, and to always check this token before processing the incoming data. Also, if you are using Ajax to submit a form, use JavaScript to disable the submit button once the form has been submitted.
Let's improve example in section 4.2:
Let's improve the example from section 4.2:
<input type="checkbox" name="interest" value="football">Football
<input type="checkbox" name="interest" value="basketball">Basketball
@@ -14,7 +14,7 @@ Let's improve example in section 4.2:
<input type="hidden" name="token" value="{{.}}">
<input type="submit" value="Login">
We used MD5(time stamp) to generate token, and added to hidden field and session in server side(Chapter 6), then we can use this token to check if this form was submitted.
We use an MD5 hash (time stamp) to generate the token, and added it to both a hidden field on the client side form and a session cookie on the server side (Chapter 6). We can then use this token to check whether or not this form was submitted.
func login(w http.ResponseWriter, r *http.Request) {
fmt.Println("method:", r.Method) // get request method
@@ -44,14 +44,14 @@ We used MD5(time stamp) to generate token, and added to hidden field and session
![](images/4.4.token.png?raw=true)
Figure 4.4 The content in browser after added token
Figure 4.4 The content in browser after adding a token
You can refresh this page and you will see different token every time, so this keeps every form is unique.
You can refresh this page and you will see a different token every time. This ensures that every form is unique.
For now you can prevent many of duplicate submissions attacks by adding token to your form, but it cannot prevent all the deceptive attacks, there is much more work should be done.
For now, you can prevent many duplicate submission attacks by adding tokens to your forms, but it cannot prevent all deceptive attacks of this type. There is much more work that needs to be done.
## Links
- [Directory](preface.md)
- Previous section: [Cross site scripting](04.3.md)
- Next section: [File upload](04.5.md)
- Next section: [File upload](04.5.md)