[Catalyst] The old double-post issue

Bill Moseley moseley at hank.org
Fri Sep 22 00:57:11 CEST 2006

On Thu, Sep 21, 2006 at 05:04:38PM -0500, Wade.Stuart at fallon.com wrote:
> But why are you returning an error page,  doesn't the fact that the token
> no longer is valid mean that the form has already been submitted (return a
> oops this form has already been submitted page)?

The token is still valid.  The test for the token and its update are
not atomic, so a second request can get in before the session is
updated to reflect that the token is invalid.  It's a race condition.

So, it would be helpful to move to a token system where the test and
invalidation are atomic (like storing the token in the database and
checking rows deleted).

If I submit a form and wait, then reload then, yes, it will tell me
the form can't be posted because the token is no longer valid.  But,
by double post, I mean a double-click on the submit button.  It's
submitting the request, then quickly submitting the same request

In that case even returning "oops, page already submitted" still means
the first request (of a double-post) was processed and the user sees
no output from that first request.  I see no way around that, except
the sick idea below.  If you hit submit and then close your browser
you get basically the same result -- don't see the response.

> > My code now detects that something doesn't quite make sense and gives
> > a slightly smarter message.  But, it's not always easy to see a
> > request and know that it's already happened vs. just is not in a
> > state where that kind of request is allowed.
> Does the plugin actually lose its state without a submission? (even if you
> go to another section of website on the same session...)

The token is stored in the session.  So all that happens is upon
submission a check is made that the token exists in the form and it
matches the current one stored in the session.  If so, it is deleted.
When a new form is created a new token is created.  Someone can't
really have two windows open at the same time.

I think I'll move to a system of storing the tokens in the database
and then it's one token per form and can only be used for one
submission.  And use cron to remove old tokens.

I could be crazy and store the output from first form posting in the
database and then if another form is posted with that same token just
redisplay the original page's output.  That sounds like trouble.

Geeze, if people double click on submit buttons and can get past the
javascript then they get what they deserve. ;)

Bill Moseley
moseley at hank.org

More information about the Catalyst mailing list