[thelist] Modern browsers and preventing double form posting

Bill Moseley moseley at hank.org
Wed May 9 09:23:17 CDT 2012

Ignoring Javascript for the moment, I have tools I have used for a very
long time to prevent double-posting of forms (url-encoded and form-data
type forms).  It simply creates a unique token each time a form is
rendered.   And along with that, each time a form is posted the post must
include a token AND I must be able to atomically delete that token (it
exists and only one process can remove it.)  The tokens tend to have a life
of a few hours, IIRC.

Another thing I do after each successful post is issue a redirect.

Now, on one application I noticed that the testing of the token on form
submission was disabled, which was a concern.  But, then I started to test
the app and was unable via Chrome, Safari, and IE8 to even generate a

What I'm wondering is if it's even necessary anymore with modern browsers
to do this extra work server-side to prevent double-posting of the same
form data.

See also:

Yes, using javascript to disable a submit button is also commonly used, but
that's not what I'm asking about here.


Bill Moseley
moseley at hank.org

More information about the thelist mailing list