1.为每个请求设置一个标记,当此页面是首次被请求时,生成标记并放入session中,并且把此生成的标记的值作为隐含标签传递到处理页面
2.提交表单时,跳转页面处理请求中的标记,如果判断请求中session对象的标记和隐含标签中的值相同,处理请求,并将session中的标记值去除
(也可通过设置间隔时间实现)
( TokenGen.java)
package
com.beans; import java.util.*;import javax.servlet.http.*; public
class TokenGen { private
static TokenGen instance = new
TokenGen(); private
TokenGen() {} public
static TokenGen getInstance() { return
instance; } public
synchronized boolean isTokenValid(HttpServletRequest request) { // 没有session,判为非法 HttpSession session = request.getSession(false); if
(session == null) return
false; // session中不含token, // 说明form被提交过后执行了resetToken()清除了token // 判为非法 String stoken = (String) session.getAttribute("token"); if
(stoken == null) return
false; // request请求参数中不含token, // 判为非法 String rtoken = request.getParameter("token"); if
(rtoken == null) return
false; // request请求中的token与session中保存的token不等,判为非法 return
stoken.equals(rtoken); } /* * 重新设置token,当页面被请求后,将session中的token属性去除 */ public
synchronized void resetToken(HttpServletRequest request) { HttpSession session = request.getSession(false); if
(session!=null) { session.removeAttribute("token"); } } /* * 为请求新建一个token标记,此标记由一个随机的double数toString形成,并把字符值存入session中 */ public
synchronized void saveToken(HttpServletRequest request) { HttpSession session = request.getSession(true); Random rand = new
Random(); Double d = rand.nextDouble(); session.setAttribute("token", d.toString()); }}<%@ page language="java"
import="com.beans.*"
pageEncoding="gb2312"%><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html> <head> <title>注册页面1</title> <meta http-equiv="pragma"
content="no-cache"> <meta http-equiv="cache-control"
content="no-cache"> <meta http-equiv="expires"
content="0"> <meta http-equiv="keywords"
content="keyword1,keyword2,keyword3"> <meta http-equiv="description"
content="This is my page"> </head> <% TokenGen.getInstance().saveToken(request); String s = (String)session.getAttribute("token"); %> <body> <form id="form1"
name="form1"
method="post"
action="register.jsp"> <table align="center"> <tr> <td colspan="2"><br><input type="hidden"
name="token"
value="<%=s%>"/> </td> </tr> <tr> <td align="right"> 用户名: </td> <td> <input type="text"
name="t1"
/> </td> </tr> <tr> <td align="right"> 密码: </td> <td> <input type="password"
name="t2"
/> </td> </tr> <tr> <td align="right"> 确认密码: </td> <td> <input type="password"
name="t3"
/> </td> </tr> <tr> <td align="right"> 性别: </td> <td> <input type="radio"
name="radio"
id="radio"
value="boy"
/> 男 <input type="radio"
name="radio"
id="radio2"
value="gril"
/> 女 </td> </tr> <tr> <td align="right"> 个人说明: </td> <td> <textarea name="textraea1"
rows="15"
cols="60"></textarea> </td> </tr> <tr> <td align="right"> <input type="submit"
name="button"
id="button"
value="提交"
/> </td> <td> <input type="reset"
name="button2"
id="button2"
value="重置"
/> </td> </tr> </table> </form> </body></html>(register.jsp)处理请求<%@ page language="java"
import="com.beans.*"
pageEncoding="gb2312"%><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html> <head> <title>处理注册页面1</title> <meta http-equiv="pragma"
content="no-cache"> <meta http-equiv="cache-control"
content="no-cache"> <meta http-equiv="expires"
content="0"> <meta http-equiv="keywords"
content="keyword1,keyword2,keyword3"> <meta http-equiv="description"
content="This is my page"> <!-- <link rel="stylesheet"
type="text/css"
href="styles.css"> --> </head> <body> <% TokenGen tokenGen=TokenGen.getInstance(); if
(!tokenGen.isTokenValid(request)) { out.print("这是重复提交或非法提交!"); } else { // 处理请求,并执行resetToken方法,将session中的token去除 tokenGen.resetToken(request); } %> </body></html> |
原文:http://www.cnblogs.com/jameslif/p/3663903.html