tags:

views:

497

answers:

7
+8  Q: 

How do you prevent a user from posting data multiple times on a website

I am working on a web application (J2EE) and I would like to know the options that are available for handling a double post from the browser.

The solutions that I have seen and used in the past are all client-side:

  • Disable the submit button as soon as the user clicks it.
  • Follow a POST-Redirect-GET pattern to prevent POSTs when the user clicks the back button.
  • Handle the onSubmit event of the form and keep track of the submission status with JavaScript.

I would prefer to implement a server side solution if possible. Are there any better approaches than the ones I have mentioned above, or are client-side solutions best?

+6  A: 

You could supply a "ticket" as part of the form, some random number - and make sure it doesn't get accepted twice, on the server side.

zigdon  2008-09-24 22:35:57
How do you handle a user pressing the back button (most browsers don't re-request), changing the data in the form, and submitting the same "ticket" again?
jayrdub  2010-08-19 23:13:05
You can't stop the user from resubmitting a new request with the same ticket, but you can reject it on the server side, with a "Duplicate request" error.
zigdon  2010-08-19 23:28:35
Right, but people do that on purpose - submit a form, press back because they know they need to correct something, submit form again. Their legitimate usage of the browser's back button to edit a record would result in an error.
jayrdub  2010-08-20 17:35:09
Sure, and if it's a legit pattern than you can add support for it - on the server side, find their previous request (with the same ticket), and update the information as needed. It's your call how long you're willing to accept changes to the form, of course.
zigdon  2010-08-20 18:03:44
if the submission was completed fully, you should disable the token, or if the submission was made partly, you should allow the token to be re-used, handling the partly submitted details at the same time.
abel  2010-10-07 14:14:47
+2  A: 

Two server-side solutions come to mind:

  1. Create one-time use "tokens" in a hidden form field. Once a token is used, it is deleted from whatever database or session context object you're storing it in. The second time, it's not accepted.
  2. Cache information received, and if an identical form is received within a certain time period (10 minutes? an hour? You decide!) it is ignored.
Josh Hinman  2008-09-24 22:36:58
1. How do you handle a user pressing the back button (most browsers don't re-request), changing the data in the form, and submitting the same token again?2. What if within the time period the form is submitted with a value A, then the user changes it to have value B, then change it back to value A again? Wouldn't that ignore the last change?
jayrdub  2010-08-19 23:15:43
A: 

Implement a uniqueid to go with the request and log it along with the execution. If the id was already logged, you don't do the job again. This is kinda like the fallback solution - you should try and disable the button or link clientside as well as you suggested yourself

Per Hornshøj-Schierbeck  2008-09-24 22:37:19
A: 

I'd use a timestamp and compare values with your server side code. If two timestamps are close enough and have the same IP address, ignore the second form submission.

VirtuosiMedia  2008-09-24 22:37:20
op requested a server side solution
paan  2008-09-24 22:41:17
I didn't read the post carefully enough, but I edited my answer so it is more in line with the question.
VirtuosiMedia  2008-09-24 22:43:18
And what if the user really has two bits of data they want to post in that time period? Tough luck seems to be your anwer.
roryf  2008-09-24 22:50:20
+5  A: 

Its hard to implement an idiot-proof solution (as they are alway improving the idiots). No matter what you do, the client side can be manipulated or perform incorrectly.

Your solution has got to be server side to be reliable and secure. That said, one approach is to review the request and check system/database state or logs to determine if it was already processed. Ideally, the process on the server side should be idempotent if possible, and it will have to protect against dupe submits if it can't be.

Joe Skora  2008-09-24 22:38:43
+1  A: 

we use a time sensitive, one time ticket. It's like a session id of sort. But it is tied to the form/page.

You discard the ticket when the user submits the page, and you only process pages that comes with a valid ticket. You can, at the same time, tighten security by attaching the ticket to a user, so tat if a ticket comes in that is submitted by a user that is not the user that the ticket was submitted to, you reject the request.

paan  2008-09-24 22:40:03
A: 

Struts has something like this built in if you happen to be using it.

http://struts.apache.org/1.x/apidocs/org/apache/struts/util/TokenProcessor.html

Konrad  2008-09-25 03:10:58

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?