[Catalyst] The old double-post issue

Peter Edwards peter at dragonstaff.com
Thu Sep 21 09:10:56 CEST 2006

I use javascript to 
- disable the form at the start of the page
- enable it at the end of the page as it finishes loading
- disable again after submitting
- re-enable clicks in the error screen if a handler fails
also to check document.readyState == 'complete' in button and link handlers.

That stops a click on a part-loaded page before all the js and form elements
are set up. It also catches a double click on a submit or a click on a
submit followed accidentally by one on another hyperlink nearby. But since
the user is heavily protected that's rare unless the js has bombed, in which
case it's good that they can still get out with an ESC or right click
(assuming they know they can do that or your manual tells them so).
It's quite easy to get multiple submits from js if you're messing around
with form.target, form.action etc. in event handlers.

function clickhandler(e) { return false; }

function disableClick()
  if (isNetscape4plus())
    top.window.onclick = clickhandler;
  else if (isIE5plus())
    top.window.document.body.style.cursor = "wait";

function enableClick()
  if (isNetscape4plus())
    top.window.onclick = null;
  else if (isIE5plus())
    top.window.document.body.style.cursor = "default";

// some obj detection code here to detect browser in isNetscape4plus(),...

Regards, Peter
-----Original Message-----
From: catalyst-bounces at lists.rawmode.org
[mailto:catalyst-bounces at lists.rawmode.org] On Behalf Of Bill Moseley
Sent: 21 September 2006 05:34
To: catalyst at lists.rawmode.org
Subject: [Catalyst] The old double-post issue

I had one user complain that when they submitted a form they were
getting a 500 error, yet when reviewing their transaction it was
successfully completed.

But, reviewing the logs I saw an error (a failed transaction) and the
access logs showed two posts at the same time -- the first successful
the second aborted due to the first being already completed.

I'm using C::P::RequestToken to prevent submitting forms twice, but
that still doesn't prevent a second request slipping in before the
token is invalidated.  Perhaps need atomic update for the token stored
in the session.

Even if I trap the exception the user is still going to get a
confusing message if they double post.  Instead of "Transaction
Complete" they will see "Sorry, this transaction is already complete"
kind of thing.

I'm wondering what others are doing to deal with double-posts.  Is
using Javascript to disable the form after posting helpful?  I doubt
it since I would think click submit + <Esc> + click submit would still

BTW -- I have not been able to duplicate the double post -- that is,
double clicking on the submit button (or image) won't trigger it in
FF or my version of IE, although in FF I was able to hit <Esc>
between clicks and generate the double post.  I suspect it's just
the behavior in some version of IE.

Ah the fun of all those versions of browsers:

I had another IE user where they claimed the form on the "login" page
would just clear the fields when they hit submit, but if they used the
login on the side-navigation it worked fine.  Of course, it's the same
form on both pages -- generated by the same template:

        [% PROCESS includes/login_form %]

so it's bit of a mystery why one form would work and not the other.

Bill Moseley
moseley at hank.org

List: Catalyst at lists.rawmode.org
Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/
Dev site: http://dev.catalyst.perl.org/

More information about the Catalyst mailing list