OT: Random Form Resubmissions

[Jerry Malcolm <te...@malcolms.com>]

OT:  I have a simple 'contact-us' webapp that has been running for 
years.  I'm not having any problems with it directly.  However, 
periodically, I get resubmissions of the form from the client's 
computer, sometimes randomly once a day for several days/weeks, and 
sometimes once or twice two weeks after the original form was 
submitted.  The obvious answer to this would be that the client just 
keeps hitting the back button and resubmitting the form.  But I know 
that is not the case.  I have a little javascript snippit that sets the 
current date in a hidden field when the user hits the submit button 
(spam robots don't recognize this, so spam-robot-submissions will not 
have a valid date in the hidden field).   When these random form 
resubmissions come in they have the original date/time in that hidden 
field from when they actually requested and submitted the form.

So what I know at this point:

1) This is rare.  But when it starts with a particular form, I'll get 
resubmissions anywhere from once ever few hours to once every couple of 
weeks.

2) It finally stops.  But one specific form kept coming in once a day 
(random time each day) for over 2 months (still with original date/time 
from two months earlier in that hidden field)

3) I checked the apache httpd logs, and the resubmissions are coming 
from the original user's IP address.  They are definitely coming in as a 
new request each time to apache/tomcat (as opposed to my webapp code 
somehow reprocessing the original request)

4) The user is NOT hitting the submit button over and over as proven by 
the time/date in the hidden field.

I have written defensive code in my webapp to detect this situation and 
handle it.  So it's not a critical problem now. But it just frustrates 
me that I have no clue what is going on.  And I'm curious if the users 
are seeing something strange as this is occurring.  It appears that the 
client's browser is holding onto the form and just randomly resending it 
the server without the user's knowledge.  And it finally stops when they 
close their browser or reboot their computer.  I know this makes zero sense.

So.... I know this is not precisely tomcat related.  But I know this 
forum has followers with a vast range of knowledge in many areas. I'm 
just curious if this rings any bells, or if anyone can explain what is 
going on here.  Anybody know what would cause a browser to keep randomly 
resending a form request to the server?

Thanks.

Jerry


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: OT: Random Form Resubmissions

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jerry,

On 6/17/15 11:55 AM, Jerry Malcolm wrote:
> OT:  I have a simple 'contact-us' webapp that has been running for 
> years.  I'm not having any problems with it directly.  However, 
> periodically, I get resubmissions of the form from the client's 
> computer, sometimes randomly once a day for several days/weeks,
> and sometimes once or twice two weeks after the original form was 
> submitted.  The obvious answer to this would be that the client
> just keeps hitting the back button and resubmitting the form.  But
> I know that is not the case.  I have a little javascript snippit
> that sets the current date in a hidden field when the user hits the
> submit button (spam robots don't recognize this, so
> spam-robot-submissions will not have a valid date in the hidden
> field).   When these random form resubmissions come in they have
> the original date/time in that hidden field from when they actually
> requested and submitted the form.
> 
> So what I know at this point:
> 
> 1) This is rare.  But when it starts with a particular form, I'll
> get resubmissions anywhere from once ever few hours to once every
> couple of weeks.
> 
> 2) It finally stops.  But one specific form kept coming in once a
> day (random time each day) for over 2 months (still with original
> date/time from two months earlier in that hidden field)
> 
> 3) I checked the apache httpd logs, and the resubmissions are
> coming from the original user's IP address.  They are definitely
> coming in as a new request each time to apache/tomcat (as opposed
> to my webapp code somehow reprocessing the original request)
> 
> 4) The user is NOT hitting the submit button over and over as
> proven by the time/date in the hidden field.
> 
> I have written defensive code in my webapp to detect this situation
> and handle it.  So it's not a critical problem now. But it just
> frustrates me that I have no clue what is going on.  And I'm
> curious if the users are seeing something strange as this is
> occurring.  It appears that the client's browser is holding onto
> the form and just randomly resending it the server without the
> user's knowledge.  And it finally stops when they close their
> browser or reboot their computer.  I know this makes zero sense.
> 
> So.... I know this is not precisely tomcat related.  But I know
> this forum has followers with a vast range of knowledge in many
> areas. I'm just curious if this rings any bells, or if anyone can
> explain what is going on here.  Anybody know what would cause a
> browser to keep randomly resending a form request to the server?

Could this be happening when someone submits the form and then leaves
the page open forever in a forgotten tab in their web browser?

Perhaps even after a restart, the tab is resurrected, and the browser
re-submits the POST that originally generated the page?

If you aren't already doing this, I would recommend adopting a
redirect-after-POST strategy so that even RELOADING the page after the
form doesn't re-POST the initial form.

Another thing you can do is generate a token on the server and stick
it in the page. When you accept the form, check to see if the token is
valid. If not, bomb to a "sorry" page, otherwise, process it as usual.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVgd7ZAAoJEBzwKT+lPKRYxZ0P/A/TC6mHiaSihVKrjQGM0QDo
vEMzAUiTZNoEMq94gKtTj4K/iN9kqsj44nltMNHZAnntq6xPXzgtpwI45jRv7x0R
/XeouZqYhzdVzKAhZKFtkwgyWugISRl44NeRGvQ3jL6RHmmXVpCPgzX7wplrO2p6
H0F2iald73s/KnBWivVxZ9yXRhN8VH5kn7qAjtN7ttNZGYcBNOph0CDatT8G15tj
N9hUXIjsPvKAtFsnFHnL8B9twdmxGKmUTufEJKhBD++KHyE504fOUhJ+mttxJypt
UdK67sO4mxzPpkloVSTOYgCjTilxoSTNRwNsf8KXqV9sv9Hz7Rz0Ky1dUNKbZV+A
iobzlCgq88CZjJvfnP19j4Hn0PEARqshge/kFY3BExVP57S/+3Y2R683mN89q4vc
F3uIZWMmD0cOsRIgF4e6guQHLecgIYZ04iQO2fwhUl6cEByYjxAGKbam/4I/OJ3D
qvRh4m+QNQ0BajhNZhfnz6wydNAoFChX3jXCdiB+tOPqTEyxni9f1wdAhMpCn8lJ
jylvygmSq0sn9kjY04KeTXE5/UwJhYFA/7m7+1ATnmDNMvysmL3eYfsf1qORJfVK
f7U5wDg48nqqHyBmkvyR6OUpviWXxTKTXd6AIxtjaYScZpZFIf0TmWvWMHmtiIKi
mshk3sucuf7JI/mk8HCU
=BdrV
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org