Stop page from resending forms on refresh

Question

I'm wondering if there is a way to stop pages from resending html forms when you refresh.

I think it's not possible... But I'm not sure – Mohammad Saberi Dec 29 '11 at 21:25 — Mohammad Saberi, Dec 29 '11 at 21:25

score 6 · Accepted Answer · answered Dec 29 '11 at 21:27

6

You could send a Location header to a different URL in your script that is processing the form input. This new URL will be available for the browser without the need to send form data.

answered Dec 29 '11 at 21:27

Alex

32,506
16
106
171

I used this. Thanks a lot. I just had it redirect the same page after the processing of what I wanted to happen was done. – Darren Dec 29 '11 at 21:39

score 5 · Answer 2 · answered Dec 29 '11 at 21:27

It is principally impossible to stop a client (browser) over which you have no control, from doing something. It is however possible - and in your case quite easy - to harden your app against this:

When you show the form, create a random token, store it in the session and add it to the form as a hidden field
When you receive the filled-out form, check the token against the session, if it doesn't match ignore the data, if it does match clear the token from the session and process the data

Any headers or other tricks may or may not work with browsers and people refreshing WITHOUT MALICE, but they definitly won't help against an attacker.

score 5 · Answer 3 · answered Dec 29 '11 at 21:37

Use Post/Redirect/Get: http://en.wikipedia.org/wiki/Post/Redirect/Get

in PHP process the form in code, then instead of outputting anything put this header('Location: http://www.example.com/foo.php'); (obviously replacing the url) and do the display on another page. If you need to pass anything to that page then use the query string and $_GET[]

score 1 · Answer 4 · answered Sep 20 '12 at 04:53

In my quest to solve this, I have been taking a bit of a different approach. In a self developed MVC environment I redirected the page twice. After making sure that the data is submitted to the database, I redirect it to

header("Location: http:// .... /redirect/blogcomment

This will call to my "redirect" class and the "blogcomment" method. Here it will get redirected again to the "referer".

 public function blogcomment() {
    $ref = $_SERVER['HTTP_REFERER'];
    $page = "Location: " . $ref . "#commentform";
    header($page);

}

This clears the POST array and by adding an anchor tag just in front of the form fields, I jump right back to that location. Of course I also gain a lot of freedom in customizing my redirect. So far it works like a charm.

score 1 · Answer 5 · answered Dec 29 '11 at 21:25

1

I don't believe that there is a good way to do this. The way we have accomplished this in the past was to have a last_modified date and a minimum time between posts. If you haven't waited an hour say, the post would be rejected.

answered Dec 29 '11 at 21:25

Wes Crow

2,971
20
24

score 1 · Answer 6 · answered Dec 29 '11 at 21:28

The only trick I know is to have the form submit return a page with a link that you click via javascript (meta refresh, whatever) to get you to a third page.

The idea being that the thing you end up refreshing when you hit F5 is the link page not the form submit page.

score -1 · Answer 7 · answered Mar 23 '16 at 13:17

Double load... i.e. redirecting the page back to itself is bad practice. Try debugging an app that does this and it makes it much more awkward to realize thi is happening. For the love of god people, if you have to php submit a form, send it to a separate script first, then back if you want to remove a refresh sending the form again, much easier to debug!

score -2 · Answer 8 · answered Aug 24 '17 at 20:30

-2

try doing :

  unset( $_POST );

as last command.

answered Aug 24 '17 at 20:30

user1077915

828
1
12
26

Stop page from resending forms on refresh

8 Answers8