I have a standard form built with rails, which a user to my site can use
to submit data. Unfortunately one user just managed to submit exactly
the the same data three times in a row.
From the server logs it seems as though he didn’t use his back button
and then resubmit everything. It looks more like he got a bit fed up
waiting for the form to process and pressed the submit button three
times.
However, I didn’t think this was possible in Rails. Is this correct?
For the life of me I cannot reproduce this error, even by entering the
exact same data the user did and pressing submit ten times in quick
succession.
Can anyone give me any tips on as to why this might have happened and
what I can do to prevent this happening in future.
I would rather understand what is happening when submit is pressed and
work things out from there.
In my very limited understanding of the web, this is what happens:
data is entered
‘submit’ is pressed
Asynchronous request is sent. If there is a way to make a form submit
a synchronous request, as in, won’t be usable until the server comes
back with “200 OK” or whatever a server does when it’s happy, then
that’s probably what you want.
Thanks for the reply.
I am still confused though, as to why I cannot reproduce the error.
When I press submit ten times in quick succession then only one data set
is submitted.
Are you trying from the server? A computer on the same switch? On the
same subnet? Remember, we’re dealing with packets here
Thanks for the reply.
I am still confused though, as to why I cannot reproduce the error.
When I press submit ten times in quick succession then only one data set
is submitted.
No.
I’m at home on my computer, the application is on a web server somewhere
in Germany (as far as I know). I will however try to create the error
from a different computer, see if that works.
No.
I’m at home on my computer, the application is on a web server somewhere
in Germany (as far as I know). I will however try to create the error
from a different computer, see if that works.
Can you reproduce the same kind of traffic surrounding the times when
the user was doing the submit? It’s the blind leading the blind here,
but I wonder if that may have to do with it…
I have a standard form built with rails, which a user to my site can
use
to submit data. Unfortunately one user just managed to submit exactly
the the same data three times in a row.
From the server logs it seems as though he didn’t use his back button
and then resubmit everything. It looks more like he got a bit fed up
waiting for the form to process and pressed the submit button three
times.
if the back action just fetched the page from the browser’s local
cache you wouldn’t be able to tell.
However, I didn’t think this was possible in Rails. Is this correct?
Nothing particular in rails to stop this (or rather it is a client
side problem really - rails just sees 3 inbound requests)
Is the user who caused the problem friendly or malicious?
If (s)he is (or could be) malicious, then perhaps (s)he didn’t use a
browser to create three records in your database, but instead wrote
some code to post three times in quick succession.
I just added a “sleep 5” to my #create method and tried using the
“curl” utility to replicate your problem:
…but that failed because I didn’t set the authenticity token
properly. I tried a few different things to figure out how to set it
properly, but ultimately gave up and just commented out the #protect_from_forgery call in my application controller.
Sure enough, I was able to fire off 3 of these curl commands in quick
succession and create 3 new records.
If I were of a much more malicious bent, I could probably figure out
how to spoof the authenticity token. At this point, I was just trying
to figure out an answer to “how could this happen?”.
If your user isn’t malicious and isn’t using some sort of automated
HTTP screen scraping/updating utility, then I’ve just wasted your time
making you read this.
I have just finished entering the same data into IE and was rather
surprised to see that I could submit it many times.
So, it seems to be the case that Firefox 3.5 surpresses this behaviour,
whilst IE lets you submit your data as many times as you want.
Do you think it would be possible to stop this by using a session.
In PHP I would do something like this:
session_start();
if (!session_is_registered(“counted”)){
$query= insert_database();
session_register(“counted”);
}
On Wed, Aug 26, 2009 at 10:09 AM, Jim
Burgess[email protected] wrote:
I would rather understand what is happening when submit is pressed and
work things out from there.
You can put a hidden field in your form, detect it and then set a
session variable. Then don’t process any more forms when you detect
the existence of the session variable.
They could have also hit the ‘enter’ key multiple times too, not
clicking anything.
But in either case, a small amount of javascript will prevent this.
To prevent the submit button being pressed many times I am using
<%= submit_tag “Submit”, :onclick => “this.disabled = true” %>
as kindly suggested by Aldric.
How would I stop users pressing enter multiple times with java script.
JS is really not my forte so i would be grateful for any advice
Thanks for all of the answers.
I solved it a little differently and will explain how in case
a) it helps anybody else
b) there is a flaw in my method which I have overlooked
What I did was in the controller:
Create a model object: @applicant = Applicant.new(params[:applicant])
Wait for a post request.
Look up the last email address sucessfully stored in the database.
Check if it is the same as the email address currently being submitted?
If so, it is possible that someone has pressed submit twice, or used the
back button in their browser. This can therefore be ignored and the user
redirected to the success view.
If the email adresses are not identical, check if @applicant can be
saved.
If it can, redirect to success, if it can’t re render index view.
If the applicant is redirected to the success view without their data
being saved (i.e. if both email addresses are the same), then they also
receive a flash message that a double data entry was detected for their
email address and that the record was only saved once.
For this particular application it is not desired that people can apply
twice and in practice it rarely happens.
enter just processes the submit button. if you disable the submit
button, then enter key press will be disabled as well. personally, i
would get rid of the submit tag and use a image_submit_tag to get rid
of stupid keyboard annoyances. This will force the user to click on
the link to submit and you can do things like asking for confirmation
or disabling it once pressed.
