October 23, 2006
Double Submit Protection
The ease with which a user can inadvertently or deliberately submit a web form multiple times is a persistent problem with web applications and web forms.
Typically this problem arises when a user attempts to submit a form and the server does not immediately respond to the request. The delay can be due to network traffic, high load, or a particularly complex action that must be completed. In any event, it does not take long before the user begins to wonder if they actually hit the button and they click it again just to make sure.
If your application is not properly designed, this can lead to multiple identical records, or actions being processed more than once. Sometimes with undesirable side effects (like multiple billing).
There are a couple of solutions to this problem.
- Warn the user to avoid clicking the button more than once…. this is a complete cop out on the part of the programmers and is just inviting trouble.
- Disable the submit button when pressed (using AJAX). This sort of works, but if the server is slow and non-responsive, this is likely to fail too. This will also fail if the user has JS turned off, or if they reload or go back to the form and resubmit.
- Disable the button via javascript. This works reasonably well, but if the user uses the browser back button, they can press the submit button again, resulting in a double submit. Again, this will fail if JS is turned off
The reality is that all of these solutions have problems and don’t really address the underlying issue. The real problem is not that the user is submitting multiple copies of the same request, the problem is that the server is trying to act on all of them.
The double_submit_protection plugin for Rails
How it works.
- User submits a request
- If the request is successfully processed, it records the time and the contents of the params
- if a request with an identical params array is processed within a predefined interval it will reject the request or redirect to another page
The user can then do whatever they want and they won’t be able to send the identical request again until the time interval expires.
If they change the content of the form and resubmit, that request will work.
Installation
Usage:
First, restart your server.
To protect your entire application from duplicate post requests (non-ajax) you can put the following code in your application controller.
-
## application.rb
-
-
double_submit_protection :method=>:post,
-
:xhr => false,
-
:interval => 60,
-
:flash => {:warning => ‘Double Submit Detected’},
-
:redirect_to => {:action=>’index’}
Disclaimer and Tips
This is beta stuff, so don’t be surprised if it breaks things. In particular, it can block some repeated AJAX calls if you don’t configure it properly.
Note that since it uses a before filter to do it’s dirty work, you can limit the actions it applies to by passing an parameters like
:except=>['action']
You may need to adjust the timeout period to suit your needs. Longer timeouts will make your session object get pretty big.
If you have a datetime_select in your form, it may circumvent any timeout interval. If this control defaults to the current time, then the plugin will not be able to tell that it is the same because the ‘minutes’ field will be changing. It should work fine against multiple submit presses, but it will have a harder time with refresh-submit cases. Future versions may have the option to ignore datetimes in the params.
Filed by Kevin Olbrich at 12:31 am under Ruby on Rails, plugins
12 Comments
[...] Where to get the plugin Kevin Olbrich of SciWorks with some beta testing on my part has released the Double Submit Protection for Ruby on Rails Plugin. [...]
I disagree with step #3:
“if a request with an identical params array is processed within a predefined interval it will reject the request or redirect to another page”
It seems reasonable to me to cache the result of the original request and then replay that response in the case of a double click.
I don’t believe that resending the cached results of the previous submit will always be the best solution, so I left the implementation of this to the developer.
If you want to show the results of the previous submit, it’s not too hard to implement. Just have it redirect to an action that will resend the previous results.
If enough people are interested in that particular functionality, I’ll look into integrating it in the next version.
Double Submit Protection Plugin Released…
One of the most challenging situations to cope with is the impatient user who insists ot clicking the…
Is the repository down? I keep getting connection refused. Are there any mirrors? Thanks Chris
It should be available again. If you still cannot get it, email me at kevin dot olbrich at gmail dot com.
i’m trying to install the plug in but i get this:
svn: Can’t connect to host ’sciwerks.com’: Connection refused
Thanks Katy
Thats not a solution. A suer can let that page sit there or go back to it for as long as there session is active.
Sorry nice try.
Bob…. the plugin is designed to prevent users from inadvertently submitting a form twice, either from a slow response or an itchy mouse finger. It is not designed to prevent a user from ever submitting the same form again. If the user is just letting the page sit, then they didn’t submit it and no problem exists.
I have another solution for preventing people from going back to a form, but I haven’t blogged about it yet.
Could you email me a zip file with the double submit protection ruby plugin please?
Thanks you! Really…
Regards, TW
Not so bad as earlier.
in the event that a user presses submit twice, quickly, and the server is slow to respond… seems it could be that the first request will not have completed and therefore its params/success is not yet recorded in the db… so the form will be submitted twice.