J
John Rivers
Hello,
This topic has bugged me for years.
The ideal for handling web forms
would be that submitting the form
replaces the browser history's current
url with the url resulting from
the form processing code Response.Redirect url
this can be achieved for links using
client-side dom "location.replace()"
however i can't see a way of doing it
for forms?
i am trying to stop people pressing "back"
and seeing old forms and then clicking submit
although i can easily detect this at the server
and stop any damage etc. the perfect solution
would be to stop the stale form from existing
on the client
also using Response.Expires works but i feel it
is bad practice to force a roundtrip when somebody
is pressing back, and may not be interested in that
page but one further back
the way i stop stale forms from being an issue
on the server is to give each form state context
an id and sequence number which must match
the next post
you can make this strong by sticking a digest of the url
plus a secret onto the end of the url, ie:
page.asp?id=1&seq=4&hash=847389473987439
or even lock it down further by including the referer url
in the digest
all of this is ok for protecting server from damage
but what about cleaning up all those stale forms
in the browser history?
the ideal would be something like:
form.submitWithReplace();
i am surprised it isn't an option in HTML itself:
<form action="page.asp" method="post" replace="yes">
as once a form has been submitted it rarely has any
value to anybody?
This topic has bugged me for years.
The ideal for handling web forms
would be that submitting the form
replaces the browser history's current
url with the url resulting from
the form processing code Response.Redirect url
this can be achieved for links using
client-side dom "location.replace()"
however i can't see a way of doing it
for forms?
i am trying to stop people pressing "back"
and seeing old forms and then clicking submit
although i can easily detect this at the server
and stop any damage etc. the perfect solution
would be to stop the stale form from existing
on the client
also using Response.Expires works but i feel it
is bad practice to force a roundtrip when somebody
is pressing back, and may not be interested in that
page but one further back
the way i stop stale forms from being an issue
on the server is to give each form state context
an id and sequence number which must match
the next post
you can make this strong by sticking a digest of the url
plus a secret onto the end of the url, ie:
page.asp?id=1&seq=4&hash=847389473987439
or even lock it down further by including the referer url
in the digest
all of this is ok for protecting server from damage
but what about cleaning up all those stale forms
in the browser history?
the ideal would be something like:
form.submitWithReplace();
i am surprised it isn't an option in HTML itself:
<form action="page.asp" method="post" replace="yes">
as once a form has been submitted it rarely has any
value to anybody?