Preventing a 2nd form submission

[CJM]

How do people go about preventing the user from submitting a form for a 2nd
time? For example, the user submits a form, clicks on the back button, and
the submits the form again.

I have used various techniques in the past (depending on circumstances) but
I'd be interested in the techniques you guys currently use.

Thanks

 

[Bob Barrows [MVP]]

How do people go about preventing the user from submitting a form for
a 2nd time? For example, the user submits a form, clicks on the back
button, and the submits the form again.

I have used various techniques in the past (depending on
circumstances) but I'd be interested in the techniques you guys
currently use.

Thanks

It can't be prevented: you simply have to be prepared to handle it wehen it
does occur. This means using database constraints to prevent duplicate
entries. Perhaps using "IF EXISTS ..." if using SQL Server, or an extra
query when using Access to determine if a transaction has already occurred.
Setting a Session or Cookie variable to indicate that a transaction has
occurred may also work, as well as saving the extra trip to the database.

Bob Barrows

 

[Cactus Corp.]

How do people go about preventing the user from submitting a form for a 2nd

time?

Hi there!

I usually disable the submit button through a simple javascript property
change for the client side.This measure will prevent the user from clicking
twice on the same button. Then on the server side, I always use
Response.Redirect to ensure the user is not on a 'submitting step' anymore.

antoine, cc

 

[Bob Barrows [MVP]]

Hi there!

I usually disable the submit button through a simple javascript
property change for the client side.This measure will prevent the
user from clicking twice on the same button. Then on the server side,
I always use Response.Redirect to ensure the user is not on a
'submitting step' anymore.

This works great until one of your clients disables javascript ...
Also, it does not address the problem of users using the Back button on
their browser to get back to the original submission page.

 

[Giles]

It can't be prevented: you simply have to be prepared to handle it wehen
it
does occur. This means using database constraints to prevent duplicate
entries. Perhaps using "IF EXISTS ..." if using SQL Server, or an extra
query when using Access to determine if a transaction has already
occurred.
Setting a Session or Cookie variable to indicate that a transaction has
occurred may also work, as well as saving the extra trip to the database.

Bob Barrows

Putting in a hidden field with a big randomly generated number (eg Now
followed by a random) can help (maybe this is kinda what Bob is referring
to?)

If the DB already has a record with this field value, it's a resubmit.
(Probably!)

Some people also use this as a unique querystring to ensure that pages are
always called from the server, and not from a cache.

Giles

 

[Bob Barrows [MVP]]

Putting in a hidden field with a big randomly generated number (eg Now
followed by a random) can help (maybe this is kinda what Bob is
referring to?)

If the DB already has a record with this field value, it's a resubmit.
(Probably!)

No, it's something I intended to mention, but forgot. However, hidden fields
can be spoofed. his will only prevent accidental resubmissions, It may make
it possible for a hacker to hijack someone's session...

Bob Barrows

 

[CJM]

Thanks for the replies.

Sorry Bob, when talked about preventing the form submission, I was of course
talking about handling the form submission.

Currently I'm trying to handle these on a case-by-case basis, since the
context varies quite a bit.

Generally, when adding a new record, I'm trapping where possible when this
record already exists. When the operation updates a record, it isnt so much
of a problem - the timestamps are out by a few seconds perhaps but little
damge can be done. Likewise for Delete operations; if you have deleted a
record, there is little further damage you can do.

The problem I have is with Identity fields. I am tracking items with unique
serial numbers around a system; as part of this we have a Stockmovements
table which records when an item is moved from place to place. Clearly, ithe
the Primary Key being an Identity field, we can't easily check if the record
has already been added (by looking at the data).

I'm working on a session variable-based method whereby at the start of the
operation a flag is set, and cleared after the operation is completed. If
the user re-submits it will detect this. (I think Bob hinted at this
approach as well)

I'm sure it's not fool-proof, but it will cut out the vast majority of
mistakes (I hope).

Chris

 

[John Beschler]

Bob said: However, hidden fields can be spoofed.

Bob,

What about Session Vars? Can these be spoofed as well?

 

[Bob Barrows [MVP]]

Bob said: However, hidden fields can be spoofed.

Bob,

What about Session Vars? Can these be spoofed as well?

If session id's are somehow exposed to users (for example, via hidden
fields), then yes: sessions can be hijacked.

Security is TOUGH!

Bob Barrows