3

I'm finding it hard to determine best practice for detecting duplicate form submissions. I'm using the latest SpringBoot, Thymeleaf and Spring-Security and the out-of the-box CSRF functionality all appears to be working.

The design of the application is such that submit buttons get disabled via JavaScript onclick, successful POSTs result in a redirect (POST->Redirect->Get pattern) and I had (seemingly wrongly) thought that the CSRF protection would provide the server-side protection for anything that slipped through the JavaScript.

For some reason my dodgy Logitech G500 mouse (which has started double-clicking everything) has managed to highlight a problem with the application. Somehow it has defeated the JavaScript and it has revealed that there is no protection on the server for duplicate form submissions - i.e. the form got processed twice. I'll have a look into the JavaScript later, but I don't want to rely upon this to protect the server so I want to be able to detect it at the server.

Given how much Spring does (including the CSRF protection) I was somewhat surprised and have done a lot of Googling. From what I can tell, there used to be something in the old Spring framework (references to AbstractFormController.handleInvalidSubmit) but that no longer exists now. I've also seen references to RequestMappingHandlerAdapter and settings such as synchronizeSession and sessionForm, but I don't really understand them yet. There are also a load of custom solutions that people have produced, including a HandlerInterceptorAdapter with associated tag library and a cache that performs some custom processing.

So my questions are:

  1. Why doesn't the CSRF protection prevent this?
  2. What sort of support is built in to detect and handle duplicate form submission?
  3. If a custom solution is necessary, do you have any advice for best practice? In particular, the second click will get rejected and if I display an error page the user might never see the handling of the first click and thus not realise it was actually processed directly.

I have read this: Duplicate form submission in Spring , including the Synchronizer piece from 2009 but of course it's quite old and some of those things are no longer valid.

Thanks

Marcus

Community
  • 1
  • 1
Marcus
  • 170
  • 1
  • 8

0 Answers0