Preventing double form submissions

Question

Exact Duplicate: How to handle multiple submissions server-side

The general task at hand: preventing a double form submission in a multi-user web based application. Think financial transactions.

I have two methods which can be used in tandem:

1. JavaScript disabling of button
   • Disadvantage: does not work if JavaScript is disabled
2. Back-end verfication - see how long ago the last request of this type came from this user and issue error if not too long ago
   • Disadvantage: If the two submissions are close enough together, each may not be able to be aware of the other

I am looking for subject matter experts to contribute their best practices as well as esoteric tricks. Can be any language and framework, but Django is of specific interest. A lot has been written on the web about the task at hand, but it would be nice to have the best practices shown here.

Answer 1

The common solution is to generate a token on the server every time you generate a form. Store the token on the server, add it as a hidden field to the form, and delete it once you get a form submission with that token.

If you get a form submission without a valid token, it means that the form has already been submitted and ignore it.

This has the added advantage of adding XSRF protection to your project.