[thelist] Modern browsers and preventing double form posting
Bill Moseley
moseley at hank.org
Wed May 9 09:23:17 CDT 2012
Ignoring Javascript for the moment, I have tools I have used for a very
long time to prevent double-posting of forms (url-encoded and form-data
type forms). It simply creates a unique token each time a form is
rendered. And along with that, each time a form is posted the post must
include a token AND I must be able to atomically delete that token (it
exists and only one process can remove it.) The tokens tend to have a life
of a few hours, IIRC.
Another thing I do after each successful post is issue a redirect.
Now, on one application I noticed that the testing of the token on form
submission was disabled, which was a concern. But, then I started to test
the app and was unable via Chrome, Safari, and IE8 to even generate a
double-post.
What I'm wondering is if it's even necessary anymore with modern browsers
to do this extra work server-side to prevent double-posting of the same
form data.
See also:
http://stackoverflow.com/questions/2791856/has-form-post-behavior-changed-in-modern-browsers-or-how-are-double-clicks-han
Yes, using javascript to disable a submit button is also commonly used, but
that's not what I'm asking about here.
Thanks,
--
Bill Moseley
moseley at hank.org
More information about the thelist
mailing list