6

Exact Duplicate: How to handle multiple submissions server-side

The general task at hand: preventing a double form submission in a multi-user web based application. Think financial transactions.

I have two methods which can be used in tandem:

  1. JavaScript disabling of button
    • Disadvantage: does not work if JavaScript is disabled
  2. Back-end verfication - see how long ago the last request of this type came from this user and issue error if not too long ago
    • Disadvantage: If the two submissions are close enough together, each may not be able to be aware of the other

I am looking for subject matter experts to contribute their best practices as well as esoteric tricks. Can be any language and framework, but Django is of specific interest. A lot has been written on the web about the task at hand, but it would be nice to have the best practices shown here.

Community
  • 1
  • 1
Krystian Cybulski
  • 10,789
  • 12
  • 67
  • 98
  • This has been closed but where are the similar questions ? double-submit-prevention tag does not bring up exact same problem scenario. – vsingh Mar 26 '10 at 15:39

1 Answers1

8

The common solution is to generate a token on the server every time you generate a form. Store the token on the server, add it as a hidden field to the form, and delete it once you get a form submission with that token.

If you get a form submission without a valid token, it means that the form has already been submitted and ignore it.

This has the added advantage of adding XSRF protection to your project.

James Davies
  • 9,602
  • 5
  • 38
  • 42