Reputation: 2011
Token Method on Forms, Double Submit Issue
I've spent weeks working on double-submit protection on my forms. Straightup, the session method of storing tokens doesn't work.
Sessions work fine for a refresh of the page or someone going back through their history... but the classic double submit by clicking the button numerous times cannot be prevented using sessions.
I'm thinking the script cannot check/write/delete sessions fast enough to catch the error when multiple clicks are being processed within milliseconds of each other.
Is there another server side method to preventing this problem?
Upvotes: 2
Views: 1202
Answers (1)
Reputation: 70490
It seems you need an independant token store capable of avoiding race conditions. To get this to work several solutions are available, one of the easier to implement would be:
- Store the token in a database, with (tokencode,claimid) fields.
- On receiving, set a claimid to
microtime(), possibly even a process-id, or hash, as long as it's very much assured to be unique in similar processes started within moment from each other. - Try to claim the token:
UPDATE tokens SET claimid = <id> WHERE tokencode=tokencode AND claimid IS NULL - Count rows changed of previous statement (or do a select).
- If a row has changed and/or has your microtime()'d claimid: you are the winner, continue with the action
- If nothing has changed or the token has the wrong claimid the action will not be taken.
Upvotes: 3
Related Questions
- Prevent Double Form Submit using Tokens
- Why is a new token generated when we submit the form
- Prevent Ajax form double submitting using form tokens with php
- PHP form token usage and handling
- Form is not submitted and Invalid Token in PHP
- PHP and MySQL, issue with form token
- PHP Form Needs to submit twice to set session
- Unique token with form submit doesn't seem to work
- Unique form token disables multitasking for the user
- Form submits twice