You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by James G Smith <JG...@JameSmith.COM> on 2001/01/07 19:03:27 UTC

Re: getting rid of multiple identical http requests (bad users double-clicking) 

Stas Bekman <st...@stason.org> wrote:
>On Fri, 5 Jan 2001, Gunther Birznieks wrote:
>
>> Sorry if this solution has been mentioned before (i didn't read the earlier 
>> parts of this thread), and I know it's not as perfect as a server-side 
>> solution...
>> 
>> But I've also seen a lot of people use javascript to accomplish the same 
>> thing as a quick fix. Few browsers don't support javascript. Of the small 
>> amount that don't, the venn diagram merge of browsers that don't do 
>> javascript and users with an itchy trigger finger is very small. The 
>> advantage is that it's faster than mungling your own server-side code with 
>> extra logic to prevent double posting.
>
>Nothing stops users from saving the form and resubmitting it without the
>JS code. This may reduce the number of attempts, but it's a partial
>solution and won't stop determined users.

Nothing dependent on the client can be considered a fail-safe 
solution.

I encountered this problem with some PHP pages, but the idea is 
the same regardless of the language.

Not all pages have problems with double submissions.  For 
example, a page that provides read-only access to data usually 
can be retrieved multiple times without damaging the data.  It's 
submitting changes to data that can become the problem.  I ended 
up locking on some identifying characteristic of the object whose 
data is being modified.  If I can't get the lock, I send back a 
page to the user explaining that there probably was a double 
submission and everything might have gone ok.  The user would 
need to go in and check the data to make sure.

In pseudo-perl-code:

sub get_lock {
  my($objecttype, $objectid) = @_;

  $n = 0;
  local($sec,$min,$hr,$md, $mon, $yr, $wday, $yday,$isdst) = gmtime(time);
  $lockfile = sprintf("%s/%4d%2d%2d%2d%2d%2d-%s", $objecttype, $yr+1900, $mon+1, $md, $hr, $min, $sec, $objectid);
  for( $n = 0; $n < 10000 && !$r; $n++ ) { 
    $r = link("$dir/$nullfile", "$dir/$lockfile-$n.lock");
  }
  
  return $r;
}

So, for example, if I am trying to modify an entry for a test 
organization in our directory service, the lock is

  "/var/md/dsa/shadow/www-ldif-log/roles and organizations/20010107175816-luggage-org-0.lock"

  $dir = "/var/md/dsa/shadow/www-ldif-log";
  $objecttype = "roles and organizations";
  $objectid   = "luggage-org";

This is a specific example, but I'm sure other ways can have the 
same result -- basically serializing write access to individual 
objects, in this case, in our directory service.  Then, double 
submissions don't hurt anything.

Regarding the desire to not add code - never let down your guard 
when you are designing and programming.  Paranoid people should 
be inherently more secure.
------------------------------------+-----------------------------------------
James Smith - jgsmith@jamesmith.com | http://www.jamesmith.com/
            jsmith@sourcegarden.org | http://sourcegarden.org/
              jgsmith@tamu.edu      | http://cis.tamu.edu/systems/opensystems/
------------------------------------+------------------------------------------