I'm trying to process a credit card transaction in .net and it works perfectly in Safari, Opera, and IE. When I try the same transaction in Firefox it sends two requests and I end up with a double charged card. From a quick search on Google it seems that this is an issue with Firebug but I am unable to find a way to stop this double post.
Does anyone have any idea on how to prevent Firefox (and Firebug) from doing this?
Use a nonce, a unique key which is only used once.
Send a unique number along with the form fields to the browser (this is often done with a hidden input field), and store a copy on the server with the transaction. Within the form, change the number on submit. Validate that the keys match when processing your requests.
There may also be a clear explanation of what's happening on the front end, and that issue could be eliminated client-side. It's best to solve the double-submit problem on the server, simply because there are so many ways in which a double submit could occur.
I've had the same issue -- didn't realise it was specific to FireBug though. You really should fix this properly anyway, in case the user clicks the back button and re-submits.
The usual way is to have a unique token for the transaction in a hidden field in the form. When the server-side receives the form, it prevents another transaction being made.
I use Firebug 1.2.1 and it has already a prevention for the double post bug, it shows you this warning when you want to see the AJAX response:
Firebug needs to POST to the server to get this information for url: http://example.url/
This second POST can interfere with some sites. If you want to send the POST again, open a new tab in Firefox, use URL 'about:config', set boolean value 'extensions.firebug.allowDoublePost' to true This value is reset every time you restart Firefox This problem will disappear when https://bugzilla.mozilla.org/show_bug.cgi?id=430155 is shipped.
I also had this happen to me once in Firefox--it can happen under some circumstances when you "View Source". The Firebug double-post sounds like a similar issue.
In the end, though, it's a good thing you caught this now--it'd be bad if double-charging a credit card could be as simple as hitting the back button after placing an order. (And as a developer for an e-commerce company, I can tell you that this happens all the time. If your checkout process has four steps/pages, just imagine the havoc that you can wreak by opening step 3 in a new browser window, hitting back to the previous step in the first window, then completing the order in the second browser window ... trust me, I've learned the hard way. You will be amazed at what people do to get around that Hawaii shipping surcharge calculation on step 3.)
The nonce is one solution; another is to simply to do a sanity check on the page that processes the credit card. Look in your database and say "wait a minute ... this order is already charged!" Then vomit with a graceful error message. Hope this helps!
It might not be firebug.
I had a similar issue last year (though, in my case, it was a sequence of endless GET requests whenever viewing a standalone media file: GIF, JPG, WMV, etc).
I disabled all of my extensions and then tried re-enabling them one at a time, checking each extension to see if it was causing the problem. It turned out to be the Skype extension, in my case.
So don't just rely on second-hand knowledge that it's firebug. If you actually hone in on the problem, you might discover that it's something else entirely.
Thanks for the post and the solutions. In my case too it is Firebug that is submitting the request again. It is just a signup page (which includes captcha) I am working on. Each time the request comes, I need to reset captcha. When the user comes to singup page, the first request (sent by browser) is processed fine but the request sent by firebug is resetting the captcha to null.
Is there is a way that otherthan database support, I can solve this issue (to identify the request sent by firebug).
Thank you in advance.