[Catalyst] Double-posted forms (was:Relative links)
Pedro Melo
melo at simplicidade.org
Thu Nov 10 17:08:17 CET 2005
Hi,
On Nov 10, 2005, at 1:35 PM, Bill Moseley wrote:
> On Thu, Nov 10, 2005 at 11:02:35AM +0000, Pedro Melo wrote:
>> One other reason to do the redirect is to avoid reload issues. If the
>> URL still shows /admin/things/delete?o=X and it's showing the list,
>> if I hit reload, it will post the previous form again, and depending
>> on how you code your app, it could do nothing or bad things. Either
>> way, it's messy from a user pov, IMHO.
>
[...]
> To help with double-posting I sometimes create a unique ID and place
> it in a hidden field and in the session. Then on submission I make
> sure they match and the remove it from the session.
>
> I have had feedback forms that people aim their bots at. When
> sessions are not available in those I create a hash of the current
> minute and a secret phrase and on submission make sure that hash was
> valid within the last X minutes. Not hard to defeat as the bot just
> needs to fetch a new form before posting, but it did stop the ones we
> were having problems with.
Never needed something like this, but I understand it's usefulness in
some scenarios.
> Any other tricks for preventing double postings?
Apart from JS-powered stuff like disabling the submit button, nothing
else to add.
>> I always redirect back to the list or view action after any action
>> based on POST or that modifies the state of the app. You can also
>> include a error or success message when you redirect.
>
> You pass the message in the url on in the session?
Never in the session. Either the text in the URL or a ID in the URL
that matches the message text in a I8N db, depends on the requirements.
Best regards,
--
Pedro Melo
JID: melo at simplicidade.org
More information about the Catalyst
mailing list