2

How can I avoid the the browser form-resubmission alert?

enter image description here

This question seems to have been discussed a lot here on SO, for example:

What I do not get from the previous discussion, is how I can use the posted data and incorporate it into the html. The previous links discuss how to use the php header function to send a get request to itself. But when sending this get request, the posted data will no longer be available to the new page, (since we cannot use the php post method..)

I would like to do this without using the php or javascript session storage technique (or saving the posted data to a temporary mySQL database).

For a simple example:

<html>
   <body>
      <form action="post.php" method="post">
      User name: <input type="text" name="user"><br>
         <input type="submit" value="Submit">
      </form>
   </body>
</html>

where post.php is:

<html>
   <body>
      <?php
          echo "<p>".$_POST['user']."</p>";
      ?>
   </body>
</html>

Pressing CTRL-R in google chrome on the second page brings up the alert.

Community
  • 1
  • 1
Håkon Hægland
  • 39,012
  • 21
  • 81
  • 174
  • Possible duplicate of [How to prevent form resubmission when page is refreshed (F5 / CTRL+R)](https://stackoverflow.com/questions/6320113/how-to-prevent-form-resubmission-when-page-is-refreshed-f5-ctrlr) – Eugen Konkov Nov 12 '17 at 11:34

3 Answers3

3

Do a redirect from post.php. Save data in session or in database and retrieve from redirect page.

Example Scenario:

  • Submit the form
  • Save the user record to db, get the id of the new record e.g. in $id
  • redirect using header, something like:
    header('Location: result.php?user_id='.$id);
  • get the user record from db, with the provided id and show it to the user.
Headshota
  • 21,021
  • 11
  • 61
  • 82
  • Thanks for the reply, but I think I cannot use browser query strings, due to sensitive data. – Håkon Hægland Jun 08 '14 at 17:28
  • I am not sure from whom are you getting this wrong opinion from, but passing an id of the resource in query string is a common standard. If you are showing the name of the user on the page itself, how is an id of the same user a sensitive data? – Headshota Jun 08 '14 at 17:32
  • Ok maybe you are right.. So I just put the sensitve data into the database, then pass only user name as query string.. and then fetch the sensitive data back from database in the php get form... yes.. sounds good :) – Håkon Hægland Jun 08 '14 at 17:39
  • If you use names, make sure they are unique. otherwise use ids. – Headshota Jun 08 '14 at 17:40
  • Ok, I wonder: could the use of query string be a security issue? If someone else, not the orignal user, performed a get access to the same url with the query string of the first user, could the second user be able to access the first users sensitive data? – Håkon Hægland Jun 08 '14 at 17:47
  • @HåkonHægland not if your PHP backend is well-written – esqew Jun 08 '14 at 17:55
  • @HåkonHægland That is a separate problem. you need an Authentication mechanism to restrict other users from accessing the url. – Headshota Jun 08 '14 at 18:01
1

Use this:

<script>
if(window.history.replaceState) 
{
window.history.replaceState(null,null,window.location.href);
}
</script>
jkdev
  • 11,360
  • 15
  • 54
  • 77
Jayesh Naghera
  • 85
  • 4
0

you may rewrite the browser history object

history.replaceState("", "", "/the/result/page");

See this

Eugen Konkov
  • 22,193
  • 17
  • 108
  • 158