Preventing a 2nd form submission

Discussion in 'ASP General' started by CJM, Jun 13, 2005.

  1. CJM

    CJM Guest

    How do people go about preventing the user from submitting a form for a 2nd
    time? For example, the user submits a form, clicks on the back button, and
    the submits the form again.

    I have used various techniques in the past (depending on circumstances) but
    I'd be interested in the techniques you guys currently use.

    Thanks

    --

    [remove the obvious bits]
    CJM, Jun 13, 2005
    #1
    1. Advertising

  2. CJM wrote:
    > How do people go about preventing the user from submitting a form for
    > a 2nd time? For example, the user submits a form, clicks on the back
    > button, and the submits the form again.
    >
    > I have used various techniques in the past (depending on
    > circumstances) but I'd be interested in the techniques you guys
    > currently use.
    >
    > Thanks
    >

    It can't be prevented: you simply have to be prepared to handle it wehen it
    does occur. This means using database constraints to prevent duplicate
    entries. Perhaps using "IF EXISTS ..." if using SQL Server, or an extra
    query when using Access to determine if a transaction has already occurred.
    Setting a Session or Cookie variable to indicate that a transaction has
    occurred may also work, as well as saving the extra trip to the database.

    Bob Barrows
    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
    Bob Barrows [MVP], Jun 13, 2005
    #2
    1. Advertising

  3. CJM

    Cactus Corp. Guest

    > How do people go about preventing the user from submitting a form for a 2nd
    > time?


    Hi there!

    I usually disable the submit button through a simple javascript property
    change for the client side.This measure will prevent the user from clicking
    twice on the same button. Then on the server side, I always use
    Response.Redirect to ensure the user is not on a 'submitting step' anymore.

    antoine, cc
    Cactus Corp., Jun 13, 2005
    #3
  4. Cactus Corp. wrote:
    >> How do people go about preventing the user from submitting a form
    >> for a 2nd time?

    >
    > Hi there!
    >
    > I usually disable the submit button through a simple javascript
    > property change for the client side.This measure will prevent the
    > user from clicking twice on the same button. Then on the server side,
    > I always use Response.Redirect to ensure the user is not on a
    > 'submitting step' anymore.
    >

    This works great until one of your clients disables javascript ...
    Also, it does not address the problem of users using the Back button on
    their browser to get back to the original submission page.
    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
    Bob Barrows [MVP], Jun 13, 2005
    #4
  5. CJM

    Giles Guest

    "Bob Barrows [MVP]" <> wrote in message
    news:...
    > CJM wrote:
    >> How do people go about preventing the user from submitting a form for
    >> a 2nd time? For example, the user submits a form, clicks on the back
    >> button, and the submits the form again.
    >>
    >> I have used various techniques in the past (depending on
    >> circumstances) but I'd be interested in the techniques you guys
    >> currently use.
    >>
    >> Thanks
    >>

    > It can't be prevented: you simply have to be prepared to handle it wehen
    > it
    > does occur. This means using database constraints to prevent duplicate
    > entries. Perhaps using "IF EXISTS ..." if using SQL Server, or an extra
    > query when using Access to determine if a transaction has already
    > occurred.
    > Setting a Session or Cookie variable to indicate that a transaction has
    > occurred may also work, as well as saving the extra trip to the database.
    >
    > Bob Barrows


    Putting in a hidden field with a big randomly generated number (eg Now
    followed by a random) can help (maybe this is kinda what Bob is referring
    to?)

    If the DB already has a record with this field value, it's a resubmit.
    (Probably!)

    Some people also use this as a unique querystring to ensure that pages are
    always called from the server, and not from a cache.

    Giles
    Giles, Jun 13, 2005
    #5
  6. Giles wrote:
    >
    > Putting in a hidden field with a big randomly generated number (eg Now
    > followed by a random) can help (maybe this is kinda what Bob is
    > referring to?)
    >
    > If the DB already has a record with this field value, it's a resubmit.
    > (Probably!)
    >

    No, it's something I intended to mention, but forgot. However, hidden fields
    can be spoofed. his will only prevent accidental resubmissions, It may make
    it possible for a hacker to hijack someone's session...

    Bob Barrows

    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
    Bob Barrows [MVP], Jun 13, 2005
    #6
  7. CJM

    CJM Guest

    Thanks for the replies.

    Sorry Bob, when talked about preventing the form submission, I was of course
    talking about handling the form submission.

    Currently I'm trying to handle these on a case-by-case basis, since the
    context varies quite a bit.

    Generally, when adding a new record, I'm trapping where possible when this
    record already exists. When the operation updates a record, it isnt so much
    of a problem - the timestamps are out by a few seconds perhaps but little
    damge can be done. Likewise for Delete operations; if you have deleted a
    record, there is little further damage you can do.

    The problem I have is with Identity fields. I am tracking items with unique
    serial numbers around a system; as part of this we have a Stockmovements
    table which records when an item is moved from place to place. Clearly, ithe
    the Primary Key being an Identity field, we can't easily check if the record
    has already been added (by looking at the data).

    I'm working on a session variable-based method whereby at the start of the
    operation a flag is set, and cleared after the operation is completed. If
    the user re-submits it will detect this. (I think Bob hinted at this
    approach as well)

    I'm sure it's not fool-proof, but it will cut out the vast majority of
    mistakes (I hope).

    Chris
    CJM, Jun 14, 2005
    #7
  8. Bob said: However, hidden fields can be spoofed.

    Bob,

    What about Session Vars? Can these be spoofed as well?



    "Bob Barrows [MVP]" wrote:

    > Giles wrote:
    > >
    > > Putting in a hidden field with a big randomly generated number (eg Now
    > > followed by a random) can help (maybe this is kinda what Bob is
    > > referring to?)
    > >
    > > If the DB already has a record with this field value, it's a resubmit.
    > > (Probably!)
    > >

    > No, it's something I intended to mention, but forgot. However, hidden fields
    > can be spoofed. his will only prevent accidental resubmissions, It may make
    > it possible for a hacker to hijack someone's session...
    >
    > Bob Barrows
    >
    > --
    > Microsoft MVP -- ASP/ASP.NET
    > Please reply to the newsgroup. The email account listed in my From
    > header is my spam trap, so I don't check it very often. You will get a
    > quicker response by posting to the newsgroup.
    >
    >
    >
    John Beschler, Jun 14, 2005
    #8
  9. John Beschler wrote:
    > Bob said: However, hidden fields can be spoofed.
    >
    > Bob,
    >
    > What about Session Vars? Can these be spoofed as well?
    >
    >
    >

    If session id's are somehow exposed to users (for example, via hidden
    fields), then yes: sessions can be hijacked.

    Security is TOUGH!

    Bob Barrows
    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
    Bob Barrows [MVP], Jun 14, 2005
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Leon Shaw

    (onetime) Form Submission

    Leon Shaw, Aug 15, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    355
  2. Oleg Konovalov

    Preventing duplicate form submission

    Oleg Konovalov, Oct 31, 2006, in forum: Java
    Replies:
    14
    Views:
    1,327
  3. Jared
    Replies:
    5
    Views:
    210
    Jared
    Jul 10, 2003
  4. Replies:
    3
    Views:
    199
  5. Oleg Konovalov

    Preventing duplicate form submission

    Oleg Konovalov, Oct 31, 2006, in forum: Javascript
    Replies:
    8
    Views:
    184
Loading...

Share This Page