Reputation: 534
Expire the page after submission
I'm implementing an iAuth form for a credit application in a J2EE container (JSTL+JSP+Stripes). The vendor states in the implementation guide:
Expire the “Questions” page after answers submission
When performing iAuth transactions you will need to “expire” the page on which the consumer's questions will be displayed after they have submitted their answers. This is crucial in order to prevent a consumer from using the "back" button to modify their answers after they have already submitted them once and found that their authentication attempt was unsuccessful. Once the answers to a question set have been transmitted to vendor, that question session is closed. Any additional attempts at modifying the answers to the same question set will result in an "invalid transaction-continue" response.
I am unsure what this means.
Are "they" suggesting just setting "Cache-Control" and/or "Pragma" headers on the form page?
Upvotes: 0
Views: 1915
Answers (1)
Reputation: 43619
Well you can use HTTP related techniques to expire pages. But those methods are rather what I consider "soft" techniques.
To better secure your system, you may want to follow this kind of server-side implementation:
Page A refers to the page that goes to the Form Page and Page B is the controller which receives the information posted by Form Page.
- User visits Page A
- Page A determines that the Form Page should be viewable to User
- Page A creates a session variable
Aand sets it totrue - Page A shows a link, or redirect the User, to Form Page
- Form Page determines whether User can view the page by checking session variable
A - Form Page displays the form.
- User enters the information and submits the form
- Form Page post data to Page B
- Page B receives the information, validate, and delete session variable
A
Of course it can be even more complex with time checking (whether the User took too long from Page A to Form B, or took merely a second to submit Form Page to Page B).
When it comes to security in networking: Server side > Client Side
Upvotes: 1
Related Questions
- clear form field after successful submitted the form in jsp
- Remove Form After Submit Jquery (JSP&Servlet)
- Redirect to another jsp page after submitting a form
- Expiring a page in the browser?
- How to avoid automatic refresh of page in jsp after it is submitted
- Preventing dupliate form submission.
- Prevent reloading page after submiting form. ( no ajax )
- Submit form with out page refresh in Servlet
- java jsp clear session after press submit button
- Session expired on form submit