session token防表单重提

1、表单页面初始化前，先在session存入一个token值，随后把token存放在表单页面隐藏表单域内，开始初始化；

　　在表单页初始化前，调用ajax请求，在后台生成token，并返回至表单页

function generateTokenId(){
    var url =appPath+'/page/placeOrder/order/generateTokenId';
    doAjax({
        url : url,
        type : 'post',
        async : false,
        success : function(data) {
            $("#tokenId").val(data);
        }
    });
}

@RequestMapping(value = "/order/generateTokenId")
@ResponseBody
public String initCreateOrder(HttpServletRequest request){
        String uuid = UUID.randomUUID().toString();
        HttpSession session = request.getSession();
        session.setAttribute("UUID", uuid);
        return uuid;
}

<!-- 提交按钮 -->
<div style="700px;margin-top: 5px;text-align: center">
    <input type="hidden" id="tokenId" />
    <a class="easyui-linkbutton" href="javascript:void(0)" iconCls="icon-ok" onclick="doCreateOrder()">提交订单</a>
    &nbsp;&nbsp;&nbsp;&nbsp;
    <a class="easyui-linkbutton" href="javascript:void(0)" iconCls="icon-cancel" onclick="closeTab()">取消下单</a>
</div>

2、提交表单时，把隐藏表单域内token作为参数传到后台，与从session取出的token对比，若比对成功，则进行后续操作，且移除session中的token值；否则，算作重复提交，直接返回。

　　比对

public synchronized Map<String, Object> createOrder(HttpServletRequest request, OrderInfo orderInfo) {
                boolean flag = this.isResubmit(request, orderInfo);
                Map<String, Object> resuMap = new HashMap<String, Object>();
                if (flag) {
                        request.getSession().removeAttribute("UUID");//验证成功，及时移除
                       
                        try {
                                String result = doCreateOrder(orderInfo);
                                if(result=='ok'){
                                       //继续后续操作
                                }else{
                                        String uuid = initCreateOrder(request);//token重置
                                        resuMap.put("tokenId",uuid);
                                }

                        } catch (Exception e) {
                        }
                }
        }

private boolean isResubmit(HttpServletRequest request, OrderInfo orderInfo){
        boolean flag = false;
        String uuid=null;
        if (null!=request.getSession().getAttribute("UUID")) {
            uuid = request.getSession().getAttribute("UUID").toString();
        }
        String timeId = orderInfo.getTimeId();//timeId即为tokenId
        if (null!=timeId && timeId.equals(uuid)) {
            flag = true;
        }
        return flag;
}

3、若后续操作中有些是对表单的验证，且验证通不过，表单不提交，停留在当前页，则需要重置session中token值，并且把新的token传入到表单页面隐藏表单域中（一般是ajax返回），否则表单内的值被会清空。

 if(result=='ok'){
         //继续后续操作
 }else{
        String uuid = initCreateOrder(request);
        resuMap.put("tokenId",uuid);
 }

@RequestMapping(value = "/order/generateTokenId")
        @ResponseBody
        public String initCreateOrder(HttpServletRequest request){
            String uuid = UUID.randomUUID().toString();
            HttpSession session = request.getSession();
            session.setAttribute("UUID", uuid);
            return uuid;
        }