开发者

F5 (refresh) act as submit

I have a hidden parameter called 'act' that should pass one of the values 'load', 'save' on pressing the submit button.

The problem is when pressing on the F5 (refresh) button after pressing the submit button because the url already contain '&act=save' so prssing on F5 actually pass (to cgi) the 'save' value again (and it perform the save action again even I didn't press on the submit button.

The queston is how can I prevent sending the '&act=save' on pressing the reffresh button?

Thanks


Thanks you all but the submit button is a 'save' button - means I wish to leave the user the abbility to perfrom addiitonal save so don't wany to leave the page. From this reason, I don't th开发者_开发知识库ink that the session may help to distinguish between the second save or the first refresh.


The core problem here is that you are using GET when you should be using POST. The HTTP specification says:

In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval.

If you were using POST then the browser would, at least, warn you about resubmitting a form.

To avoid even that, use the POST-Redirect-GET pattern.


You can't really prevent the user from pressing F5 or to prevent the reloading of the page from resubmitting the form - even using POST method in the form will allow the user to resend the data.

Two common things to overcome this:

  1. Using Session variable, set it on the first form submission then check for it - if exists, it means the form already submitted so just ignore it or post custom message.

  2. After successful submission, Redirect the user to different page - this way clicking F5 will reload that new page and won't resend the data.


A more complex solution than those already provided is to create an action token each time a page with a form is generated. This action token is stored on the server and also sent to the client. When the client submits the form it includes the action token. When the server receives a form submission it checks the action token against the token or tokens stored in that users session. If it matches a non-expired token then it allows the form processing to continue and expires the token in the session.

This prevents forms from being submitted more than once and also has the side benefit that, if implemented properly, it can help mitigate cross-site request forgery.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜