How to stop a user submitting the same data more than once.

Aldric Giacomoni wrote:

Quick hit from google after using "disable form rails after click": http://railsforum.com/viewtopic.php?id=9585

Hope this helps.

Cheers for the reply, but this is quick and dirty and doesn't solve the problem if the user has javascript disabled.

I would rather understand what is happening when submit is pressed and work things out from there.

Would be grateful for any more suggestions.

No. I'm at home on my computer, the application is on a web server somewhere in Germany (as far as I know). I will however try to create the error from a different computer, see if that works.

Jim Burgess wrote:

No. I'm at home on my computer, the application is on a web server somewhere in Germany (as far as I know). I will however try to create the error from a different computer, see if that works.

Can you reproduce the same kind of traffic surrounding the times when the user was doing the submit? It's the blind leading the blind here, but I wonder if that may have to do with it..

It's the blind leading the blind here,

:slight_smile:

It was last night and there was relatively little going on. I don't think traffic is the problem.

Is the user who caused the problem friendly or malicious?

If (s)he is (or could be) malicious, then perhaps (s)he didn't use a browser to create three records in your database, but instead wrote some code to post three times in quick succession.

I just added a "sleep 5" to my #create method and tried using the "curl" utility to replicate your problem:

curl -d"traveler[name]=z" http://localhost:3000/travelers

...but that failed because I didn't set the authenticity token properly. I tried a few different things to figure out how to set it properly, but ultimately gave up and just commented out the #protect_from_forgery call in my application controller.

Sure enough, I was able to fire off 3 of these curl commands in quick succession and create 3 new records.

If I were of a much more malicious bent, I could probably figure out how to spoof the authenticity token. At this point, I was just trying to figure out an answer to "how could this happen?".

If your user isn't malicious and isn't using some sort of automated HTTP screen scraping/updating utility, then I've just wasted your time making you read this.

--wpd

Jim Burgess wrote:

It's the blind leading the blind here,

:slight_smile:

It was last night and there was relatively little going on. I don't think traffic is the problem.

Well, then it's time to sacrifice a goat. How long does it take once the button is pressed? Try pressing it once, then again after two-three seconds.

Or try double-clicking, then double-clicking again.

Remember -- users NEVER do things the way you expect them to, always the way THEY want to.

You can put a hidden field in your form, detect it and then set a session variable. Then don't process any more forms when you detect the existence of the session variable.

The problem is that your users, like most users, are not very bright. They double-click (or in this case, triple-click) submit buttons. :disable_with will pretty much solve the issue; anybody with enough savvy to have JS disabled likely knows that you don't double- click submit buttons.

--Matt Jones