[Catalyst] Double-posted forms (was:Relative links)

[Bill Moseley]

On Thu, Nov 10, 2005 at 11:02:35AM +0000, Pedro Melo wrote:
> One other reason to do the redirect is to avoid reload issues. If the  
> URL still shows /admin/things/delete?o=X and it's showing the list,  
> if I hit reload, it will post the previous form again, and depending  
> on how you code your app, it could do nothing or bad things. Either  
> way, it's messy from a user pov, IMHO.

Yes, that's true.  Confusing seeing "delete" in the URL.  And even
with a redirect there's nothing keeping them from hitting back and
then hitting reload.

[Cat's redirect method is quite basic.  I was wondering if it should
check for a schema and add $c->base if not found to generate a correct
redirect.]


To help with double-posting I sometimes create a unique ID and place
it in a hidden field and in the session.  Then on submission I make
sure they match and the remove it from the session.

I have had feedback forms that people aim their bots at.  When
sessions are not available in those I create a hash of the current
minute and a secret phrase and on submission make sure that hash was
valid within the last X minutes.  Not hard to defeat as the bot just
needs to fetch a new form before posting, but it did stop the ones we
were having problems with.

Any other tricks for preventing double postings?

> I always redirect back to the list or view action after any action  
> based on POST or that modifies the state of the app. You can also  
> include a error or success message when you redirect.

You pass the message in the url on in the session?

-- 
Bill Moseley
moseley at hank.org