Refresh vs. Form Re-submission
-
Form re-submission woes!How can I catch page refreshes and prevent form values from being re-submitted? I've read a lot on the subject and tried varying tactics to counteract the problem. From hidden form variables and plain old user education, no methodology has worked quite as well as I had anticipated upon implementation. However, a lot of sites seem fairly successful in protecting against this problem so there must be something I'm missing (well, more than one something). What am I missing? Does anyone have any tried-and-true methods that they've used? If so, are their any caveats to your preferred method? (This is particularly for Perl/PHP with Apache and/or IIS. I'm hoping for one solution that can be modularized for varying projects, but anything is appreciated.)
-
Answer:
Easiest way would be to set a session cookie to one value when a form is displayed, and set it to a different value (or clear it entirely) after the form is submitted. Then your script can check for the existence of the cookie that means "the form was displayed" before processing the submission. Alternatively, give a unique ID (in a hidden field) to each form you generate and don't accept multiple submisisons from the same form ID. This requires somewhat more work on the back-end because you have to store each processed form ID but should be somewhat more reliable.
purephase at Ask.Metafilter.Com Visit the source
Other answers
...are there any caveats...
purephase
The best way that sites prevent page refreshes from generating form resubmissions is by never landing the user on the form submission page as their final destination. In other words: you have a page, page1.php, that displays a form. The user fills out the form and clicks submit, which sends them to page2.php to do the form submission processing. The form gets processed and the data gets munged however you're munging it, and then page2.php sends the user to page3.php (or back to page1.php, or wherever); the user never ends up on page2.php as their final destination. As a better example, take a look at this very site -- when I click "Post Comment", I don't get sent immediately to this page, but after the site processes my comment, I end up on this page.
delfuego
Well, there's also always AJAX for submission which would unbind the get/post of a form from any submissions. I'd also suggest if at all possible you deal gracefully with submissions that are 100% duplicates. There's usually no reason a comment form should ever accept a perfect dupe of any previous comment, for example. Simply discarding such things w/o comment would deal with 99% of your problems.
phearlez
I think the unique ID is the best approach, even it if is a little more involved. Otherwise, there are some things you can do: 1) Use some JS to disable the submit button after a click. This way a user can't double click it. 2) Do what delfuego suggests and write a page that does nothing but process the data. After it is done processing, it should redirect to a useful spot. Use the Location header combined with the apropriate Status (302 I think)... don't do a crappy meta refresh tag inside HTML. Java servlets has sendRedirect, Perl's CGI.pm has redirect. I can't find anything for PHP, but you can construct a simple redirect function using a couple header calls.
sbutler
delfuego's solution is also called http://www.theserverside.com/patterns/thread.tss?thread_id=20936. A lot of these answers are not really solving purephase's problem. purephase's problem has to do with users refreshing a page and choosing to resubmit the form data when their browser asks them. I suppose disallowing duplicate comments would indirectly solve the problem, but why shouldn't duplicate comments be allowed? I can think of plenty of situations where a user might want to post the same comment twice in the same thread.
bpt
Another vote here for hidden form field with a unique token. Javascript has issues, and other solutions may present you with a race-condition in terms of what came first, the redirect/response or the second click. <form> <input type=hidden name=key value=${guid}> </form> you can even have the ${guid} have a unique constraint in your database to really ensure that the form only gets submitted once. (Or just keep it as session state).
H. Roark
Good answers above. Unique tokens are the only foolproof way. But post-redirect-get means you will hardly ever need them. In any event, it's something you have to do in your form-handling code. It's not magic you can turn on at the web server level (I get the feeling from the way you've phrased your question that you're hoping for a built-in solution).
i_am_joe's_spleen
Are you sure it's not an impatient user clicking on a submit a few times in a row? A lot of users double click everything, just because that's how they do it. I know some pretty simple javascript could be written to ignore button presses within x seconds between them, but I don't have it.
easyasy3k
Related Q & A:
- How to refresh the Properties Window programatically?Best solution by Stack Overflow
- What exactly are article submission websites?Best solution by Writers
- IT vs. MIS vs. Computer Science?
- Plasma tv vs. lcd vs. led.Best solution by Yahoo! Answers
- College prep vs. honors and college prep vs. AP?Best solution by Quora
Just Added Q & A:
- How many active mobile subscribers are there in China?Best solution by Quora
- How to find the right vacation?Best solution by bookit.com
- How To Make Your Own Primer?Best solution by thekrazycouponlady.com
- How do you get the domain & range?Best solution by ChaCha
- How do you open pop up blockers?Best solution by Yahoo! Answers
For every problem there is a solution! Proved by Solucija.
-
Got an issue and looking for advice?
-
Ask Solucija to search every corner of the Web for help.
-
Get workable solutions and helpful tips in a moment.
Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.