How can I prevent form re-submission in PHP (which protects multiple windows)?

I tried:

  • method POST / REDIRECT / GET, but this does not protect against multiple instances of the same form (for example, if a user opens form.php in two separate windows and submits the form in window 1, they might still submit to window 2)

  • UNIQUE TOKEN method where the uid is generated into a session variable when the form is loaded and submitted and canceled when the form is being processed, but if the user has other different forms open, the variable is not set from those other forms, so they are treated as "already processed".


source to share

3 answers

Have you seen Ofir Baruch's comment? It seems correct to me.

You just need to combine the two approaches you've already tried, get them right, and according to Ophir Baruch, there is a unique marker session for each look.

More or less:



if (empty($_SESSION['form_tokens']['form1']))
    $_SESSION['form_tokens']['form1'] = generate_random_token();

if (isset($_POST['token']))
    if ($_POST['token']) != $_SESSION['form_tokens']['form1'])
        // the token is invalid - do not process the form
        // process the form here
        if ($success)
            // reset the token for this form

<form id="form1">
    <input type="hidden" name="token" value="<?php echo $_SESSION['form_tokens']['form1']; ?>" />
    <input type="submit" value="Submit" />


In form2.php, you will do the same, but use your unique token instead:



If you want ALSO to use two different browsers - or even computers - and this is so important, then you have to deal with it elsewhere - I mean you shouldn't allow the same USER to have TWO SESSIONS. There are several ways to do this, but this is another question.



Are the forms submitted only to registered users or site visitors?

If this form is for registered users only, you can check their user_id as soon as the form reaches your controller. You can set a temporary cookie or session variable while processing forms. When the form is complete, you can disable this session variable. Once the form appears, check if this session variable is ALREADY set (i.e. if they submitted the form twice). If this session variable is found, skip the request.

I suppose you can do the same with site visitors, or even resort to using tables to store IP addresses, but this is a bit redundant and resource intensive.



Determine which forms you only need for individual views. Then add your unique token as a hidden id, every time you create an html form and save it to a session. It was you know all valid IDs that are part of the raw group. only one of them overrides all other identifiers of this group ONLY. it also means that after opening several other forms, they start to create a new group.

this open one needs you to have an array of sessions (or db) with elements of all ids belonging to the raw form. only one group can stay at a time. any identifier not present in the group is ignored / canceled.



All Articles