During a log inspection of my ASP.NET MVC application I discovered that some users managed to post same form twice. I tried to reproduce it but I failed. Anyway I'd like to prevent users from posting same data twice. Is there any canonical solution for that in ASP.NET MVC or I have to develop my own custom solution?
I case of custom solution I can imagine client side and server side solution. Can you recommend me anything in either case?
The usual approach is to disable the submit button immediately after clicking it.
Something like this with jQuery should work:
<script type="text/javascript">
$("#myform").submit(function()
{ $("#submit-button").attr("disabled", "disabled"); });
</script>
Now after reading closely your question and seeing that you use ASP.NET MVC....
The double post is probably caused because users refresh the page after posting it. If you simply return a view from your post action:
[AcceptVerbs (HttpVerbs.Pos)]
ActionResult ProcessUserPost ()
{
/*...*/
return View ();
}
Then the browser will attempt to recreate the page by performing the same steps, meaning submitting the remembered form again. Some browsers will display a warning message (FireFox), the others will just do it quietly (looking at Opera). In order to avoid this you need to assure the page the user is getting is the result of a GET request not POST.
Basically, you need to perform a redirect instead of returning a view. This will instruct the browser to fetch a page again.
[AcceptVerbs (HttpVerbs.Pos)]
ActionResult ProcessUserPost ()
{
/*...*/
return RedirectToAction ("DisplayTheForm");
}
This way refreshing the page won't cause a new POST request being sent.
Of course, this will not prevent your users clicking the back button to return to the form page to submit it again. But that situation should be handled in your business logic, check for double submission of the same order by the same user of whatever it is that you are doing.
I can think of three ways to handle this.
One technique I have used to prevent a double post is using a server side and client side key that changes with each post. It works like this:
Generate a unique (random) key on the server and place it in the session and also in a hidden field.
When the user posts back the first time compare the key in the hidden field to the key in the session, and, if they match, accept the input and then change or remove the key from the session and update the hidden field as well.
If the user manages to click submit twice the second post will fail because the hidden field in the HTML will no longer match the session variable until the page has been refreshed.
Disable buttons first.
This will prevent users from submitting the form twice while browser waits for server response. But you should be careful with this one. When user hits submit, you will have to first validate your form (if you use client validation) and when it's valid, imediatelly disable buttons using this code.
$(":submit, :button").attr("disabled", true);
Use one of the following redirect action results in your controller
This will prevent users from hitting F5 after the form has been processes to resend POST data. This is called POST-REDIRECT-GET pattern.
RedirectToAction();
RedirectToRoute();
Redirect(); // redirects to URL
EDIT
As you've said in comments, your page already uses P-R-G pattern. In this case I'd make sure to implement first step.