You are not logged in.
- Topics: Active | Unanswered
#1 2009-07-29 13:47:50
- MattF
- Member
- From: South Yorkshire, England
- Registered: 2008-05-06
- Posts: 1,230
- Website
Regarding the form submit disable thing
Just having one of my moments earlier where an idea popped into my head which was totally unrelated to what I was actually doing, 
but with the form submission feature, (as in register.php), where the button is disabled via javascript to prevent it from being submitted more than once, could the same not be achieved with a form token?
For example, (similar to the csrf? token job in 1.3), generate a token for each relevant form and store that token in the DB and then remove that token when the form is submitted. If a form is submitted with a token which isn't in the DB, do a quick check for any submissions within the last N minutes from the same user and form, (with one or more fields matching existing content in the DB), and inform them if a possible match is found that the form has already been submitted?
I know this idea will have some gaping flaw, but just thought I'd suggest it before the thought completely disappeared from memory.
Screw the chavs and God save the Queen!
Offline
#2 2009-07-29 15:17:50
- zaher
- Member
- From: Damascus, Syria
- Registered: 2008-07-12
- Posts: 118
- Website
Re: Regarding the form submit disable thing
First
Why disabling button with java is bad for you? , it also for me but (as i think) it must mention it.
Offline
#3 2009-07-29 16:07:15
- MattF
- Member
- From: South Yorkshire, England
- Registered: 2008-05-06
- Posts: 1,230
- Website
Re: Regarding the form submit disable thing
First
Why disabling button with java is bad for you? , it also for me but (as i think) it must mention it.
Do you mean why do I dislike it? It's not so much dislike, merely a matter of functionality.
Screw the chavs and God save the Queen!
Offline
#4 2009-07-29 16:29:47
- elbekko
- Former Developer
- From: Leuven, Belgium
- Registered: 2008-04-30
- Posts: 1,131
- Website
Re: Regarding the form submit disable thing
Well, actually, the CSRF token should already take care of it, it just needs to be caught with the proper message.
Ben
SVN repository for my extensions - The thread
Quickmarks 0.5
“Question: How does a large software project get to be one year late? Answer: One day at a time!” - Fred Brooks
Offline
#5 2009-07-29 17:53:51
- MattF
- Member
- From: South Yorkshire, England
- Registered: 2008-05-06
- Posts: 1,230
- Website
Re: Regarding the form submit disable thing
Has the token system been backported into 1.4*?
p.s: Sounds weird asking about a backport when it's numerically larger in version.
Screw the chavs and God save the Queen!
Offline
#6 2009-07-29 18:02:31
- Reines
- Lead developer
- From: Scotland
- Registered: 2008-05-11
- Posts: 3,140
- Website
Re: Regarding the form submit disable thing
The CSRF token wont affect it since the target url will be the same as the users token doesn't expire after use, it expires when the users visit times out.
And no I don't think the CSRF stuff was backported into 1.4.
Offline
#7 2009-07-29 20:42:03
- elbekko
- Former Developer
- From: Leuven, Belgium
- Registered: 2008-04-30
- Posts: 1,131
- Website
Re: Regarding the form submit disable thing
Hmm, indeed, only in some places if I remember correctly. Never mind 
Ben
SVN repository for my extensions - The thread
Quickmarks 0.5
“Question: How does a large software project get to be one year late? Answer: One day at a time!” - Fred Brooks
Offline