How to stop a user submitting the same data more than once.

Aldric Giacomoni wrote:

Quick hit from google after using "disable form rails after click":
http://railsforum.com/viewtopic.php?id=9585

Hope this helps.

Cheers for the reply, but this is quick and dirty and doesn't solve the
problem if the user has javascript disabled.

I would rather understand what is happening when submit is pressed and
work things out from there.

Would be grateful for any more suggestions.

No.
I'm at home on my computer, the application is on a web server somewhere
in Germany (as far as I know). I will however try to create the error
from a different computer, see if that works.

Jim Burgess wrote:

No.
I'm at home on my computer, the application is on a web server somewhere
in Germany (as far as I know). I will however try to create the error
from a different computer, see if that works.

Can you reproduce the same kind of traffic surrounding the times when
the user was doing the submit? It's the blind leading the blind here,
but I wonder if that may have to do with it..

It's the blind leading the blind here,

:slight_smile:

It was last night and there was relatively little going on.
I don't think traffic is the problem.

Is the user who caused the problem friendly or malicious?

If (s)he is (or could be) malicious, then perhaps (s)he didn't use a
browser to create three records in your database, but instead wrote
some code to post three times in quick succession.

I just added a "sleep 5" to my #create method and tried using the
"curl" utility to replicate your problem:

curl -d"traveler[name]=z" http://localhost:3000/travelers

...but that failed because I didn't set the authenticity token
properly. I tried a few different things to figure out how to set it
properly, but ultimately gave up and just commented out the
#protect_from_forgery call in my application controller.

Sure enough, I was able to fire off 3 of these curl commands in quick
succession and create 3 new records.

If I were of a much more malicious bent, I could probably figure out
how to spoof the authenticity token. At this point, I was just trying
to figure out an answer to "how could this happen?".

If your user isn't malicious and isn't using some sort of automated
HTTP screen scraping/updating utility, then I've just wasted your time
making you read this.

--wpd

Jim Burgess wrote:

It's the blind leading the blind here,

:slight_smile:

It was last night and there was relatively little going on.
I don't think traffic is the problem.

Well, then it's time to sacrifice a goat.
How long does it take once the button is pressed? Try pressing it once,
then again after two-three seconds.

Or try double-clicking, then double-clicking again.

Remember -- users NEVER do things the way you expect them to, always the
way THEY want to.

You can put a hidden field in your form, detect it and then set a
session variable. Then don't process any more forms when you detect
the existence of the session variable.

The problem is that your users, like most users, are not very bright.
They double-click (or in this case, triple-click) submit
buttons. :disable_with will pretty much solve the issue; anybody with
enough savvy to have JS disabled likely knows that you don't double-
click submit buttons.

--Matt Jones