I am working on a web application (J2EE) and I would like to know the options that are available for handling a double post from the browser.
The solutions that I have seen and used in the past are all client-side:
- Disable the submit button as soon as the user clicks it.
- Follow a POST-Redirect-GET pattern to prevent POSTs when the user clicks the back button.
- Handle the onSubmit event of the form and keep track of the submission status with JavaScript.
I would prefer to implement a server side solution if possible. Are there any better approaches than the ones I have mentioned above, or are client-side solutions best?
we use a time sensitive, one time ticket. It's like a session id of sort. But it is tied to the form/page.
You discard the ticket when the user submits the page, and you only process pages that comes with a valid ticket. You can, at the same time, tighten security by attaching the ticket to a user, so tat if a ticket comes in that is submitted by a user that is not the user that the ticket was submitted to, you reject the request.
Struts has something like this built in if you happen to be using it.
http://struts.apache.org/1.x/apidocs/org/apache/struts/util/TokenProcessor.html
Its hard to implement an idiot-proof solution (as they are alway improving the idiots). No matter what you do, the client side can be manipulated or perform incorrectly.
Your solution has got to be server side to be reliable and secure. That said, one approach is to review the request and check system/database state or logs to determine if it was already processed. Ideally, the process on the server side should be idempotent if possible, and it will have to protect against dupe submits if it can't be.
Implement a uniqueid to go with the request and log it along with the execution. If the id was already logged, you don't do the job again. This is kinda like the fallback solution - you should try and disable the button or link clientside as well as you suggested yourself
Two server-side solutions come to mind:
You could supply a "ticket" as part of the form, some random number - and make sure it doesn't get accepted twice, on the server side.