Limit user to filling out form only once

I'm looking to create a simple web form, and I would like to "discourage" users from filling a form out multiple times. The metrics of the form are used for statistical analysis, and each time a user fills out and resubmits the form, the result set usually changes, and hence analysis.

While we don't want to BLOCK re-trys (knowing that a re-try was done is also valuable information), we do want to warn users: "Hey, it looks like you filled this out recently. Are you sure you want to fill it out again?"

The caveat here is that we want to minimize the amount of personably identifiable information collected.

Is storing a cookie with the clients IP the best/simpliest way to do this? Or is there a simple method for caching an IP server-si开发者_运维百科de for xx amount of time so we can run a comparison to says "hey, I think this guy tried to access me earlier today. I should present a warning".

Cookie with constant value should be enough, not even IP. If user did not cleared cookies you'd know that the user already filled out the form.

On easy solution I've used before is to put an invisible timestamp in the HTML form the user fills out. If you get submitted the same timestamp twice, you know its a re-submittion.

If you're worried about tampering, you can always mix up/encrypt the timestamp.

This could also just be a random unique identifier, I chose a timestamp in order to know how long a user took filling out a form (roughly).

This is basically like a session cookie, but might be considered more "private" as theres nothing for a client's computer to remember so it can't be used as like some tracking cookies ad sites.

The downside is that this method requires that a client/proxy not cache the form as it "changes" every request.

There are two issues here the user clicking the submit button multiple times, and the user filling in the form at another point in time.

For the second I can see two quite simple solutions would recommend a session cookie, just cookie the users machine and don't let them see the form again, or ask for a piece of information like email address and then check in the DB if its been used before, if so disregard the new form details.

For the multiple form submit you can use this code, which will disable the button onclick.

   //
   // Disable button with no secondary JavaScript function call.
   //
   public static void DisableButtonOnClick(Button ButtonControl)
   {
       DisableButtonOnClick(ButtonControl, string.Empty);
   }

    // Disable button with a JavaScript function call.
    //
    public static void DisableButtonOnClick(Button ButtonControl, string ClientFunction)
    {
        var sb = new StringBuilder(128);

        // If the page has ASP.NET validators on it, this code ensures the
        // page validates before continuing.
        sb.Append("if ( typeof( Page_ClientValidate ) == 'function' ) { ");
        sb.Append("if ( ! Page_ClientValidate() ) { return false; } } ");

        // Disable this button.
        sb.Append("this.disabled = true;");

        // If a secondary JavaScript function has been provided, and if it can be found,
        // call it. Note the name of the JavaScript function to call should be passed without
        // parens.
        if (!String.IsNullOrEmpty(ClientFunction))
        {
            sb.AppendFormat("if ( typeof( {0} ) == 'function' ) {{ {0}() }};", ClientFunction);
        }

        // GetPostBackEventReference() obtains a reference to a client-side script function 
        // that causes the server to post back to the page (ie this causes the server-side part 
        // of the "click" to be performed).
        sb.Append(ButtonControl.Page.GetPostBackEventReference(ButtonControl) + ";");

        // Add the JavaScript created a code to be executed when the button is clicked.
        ButtonControl.Attributes.Add("onclick", sb.ToString());
    }