Geek Answers Handbook

F5 (update) acts as a send

I have a hidden parameter called "act", which should pass one of the values ​​"load", "save" when I click the "Send" button.

The problem is pressing the F5 (update) button after clicking the submit button, because the url already contains "& act = save", so prssing on F5 actually passes (cgi) the value "save" again (and it will perform the save operation again, even if I did not press the submit button.

Queston: how can I prevent the sending of & act = save when I click reffresh?

thanks

Thanks to everyone except the "Submit" button, the "Save" button means that I want to leave the user to cancel the admin-save, so do not leave the page. For this reason, I do not think that a session can help distinguish between a second save or a first update.

+4
source share
3 answers

The main problem is that you use GET when using POST. The HTTP specification says :

In particular, a convention was established that the GET and HEAD methods SHOULD NOT have the meaning of taking any action other than a search.

If you use POST, the browser will at least alert you to resubmit the form.

To avoid this, use the POST-Redirect-GET pattern .

+6
source

You cannot stop the user from pressing F5 or prevent the page from reloading after the form is resubmitted. Even when using the POST method on the form, the user can resend the data.

Two common things to overcome this:

  • Using the Session variable, set it in the first view of the form, then check it - if it exists, it means that the form is already submitted, so just ignore it or send a custom message.

  • After successful submission, it redirects the user to another page - thus pressing F5 will reload this new page and will not send data again.

+2
source

A more complex solution than those that have already been provided is to create an action token every time a page with a form is created. This action token is stored on the server and also sent to the client. When a client submits a form, it includes an action token. When the server receives the form submission, it checks the action token for the token or tokens stored in this user session. If it matches the token without expiration, it allows you to continue processing the form and the token expires in the session.

This prevents the submission of forms more than once, and also has a side effect, which, if implemented properly, can help mitigate falsification of cross-site request requests.

0
source

More articles:


All Articles