Expire the page after submission
I'm implementing an iAuth form for a credit application in a J2EE container (JSTL+JSP+Stripes). The vendor states in the implementation guide:
Expire the “Questions” page after answers submission
When performing iAuth transactions you will need to “expire” the page on which the consumer's questi开发者_开发百科ons will be displayed after they have submitted their answers. This is crucial in order to prevent a consumer from using the "back" button to modify their answers after they have already submitted them once and found that their authentication attempt was unsuccessful. Once the answers to a question set have been transmitted to vendor, that question session is closed. Any additional attempts at modifying the answers to the same question set will result in an "invalid transaction-continue" response.
I am unsure what this means.
Are "they" suggesting just setting "Cache-Control" and/or "Pragma" headers on the form page?
Well you can use HTTP related techniques to expire pages. But those methods are rather what I consider "soft" techniques.
To better secure your system, you may want to follow this kind of server-side implementation:
Page A refers to the page that goes to the Form Page and Page B is the controller which receives the information posted by Form Page.
- User visits Page A
- Page A determines that the Form Page should be viewable to User
- Page A creates a session variable
A
and sets it totrue
- Page A shows a link, or redirect the User, to Form Page
- Form Page determines whether User can view the page by checking session variable
A
- Form Page displays the form.
- User enters the information and submits the form
- Form Page post data to Page B
- Page B receives the information, validate, and delete session variable
A
Of course it can be even more complex with time checking (whether the User took too long from Page A to Form B, or took merely a second to submit Form Page to Page B).
When it comes to security in networking: Server side > Client Side
精彩评论