preventing browsers from reposting forms

Anon

Hi !

I have been looking through these forums about the "Page has expired" issue, and found a lot of people worrying about this error message. A few solutions are proposed, like for example using the GET method instead of POST, or submitting to the same page and then using a header() to redirect.

What I want to do is the opposite : I want to PREVENT any browser from reloading the pages in which form data has been posted, or at least prevent them from reposting the forms' data. A simple example :

user 1 logs in to a restricted area, using a POST form to submit their username and password, then logs out.
user 2, on the SAME station, clicks the BACK button several times, until he reaches the FIRST restricted page user 1 has seen.
the usual message (warning, page has expired...) is displayed, prompting user 2 to click "refresh" to post the data again. The result is : user 2 can repost user 1's identification info, and log in on their account !

I know a simple workaround is to close all the browser's windows, but i think it's not very reliable. I'd like to find a better way to prevent this "form resubmit through refresh", otherwise the "log out" functionnality would be completely useless...

I'm convinced this problem is quite trivial for you security experts out there, and i'm frustrated not to be able to find the solution somewhere.

Thanks for any help.

Anon

use cookies or session ids

have a cookie in the beginning that checks the following

once the user hits submit

if (cookie is not set)
set it
else
Error_Handler("Cannot resubmit");

Anon

Thanks for your advice !

I'm wondering though... this method is good for preventing a form from being re-posted, but won't it totally prevent any user from re-logging after leaving the restricted area ?

My point is not avoiding re-post in the "normal" way (ie coming again to the index page and filling the login/password form... which requires you to know them) but automatic re-post by the browser (which allows you to log in even if you don't know the pass). Any new ideas ?

Anon

You probably found a solution by now but I thought I would share what worked for me.

When printing out the form I store a random number in a session variable and put a hidden field in the form with the same random number as its value. When processing the form submission I compare the value of the hidden field in the form with the one in the session. If they don't match then I don't process the form. If they do match I process the form and unregister the variable from the session. If a user tries to re-post the form the value in the session will no longer match the hidden field in the form.

zalath

Hmmm. Embarrassing. I never thought of that. I just replied to someone with this incredibly difficult explanation on how to use a database for storing 'used' sessions, and here you have a simple and elegant solution =). Thank you.

namaste

Here is the solution we used in our project.
On the form I have a hidden field named submit check. that post to the script with this snippet in it.
----------------------->Code START

session_register("submit_check");

If ($proof_submit == "OK Proof")
{
$submit_check++;
If ($submit_check > 1)
{
echo $submit_check;
header("Location: multiple_click.php");
break;
}
}
-------------------->Code END

Then I use session unregister("submit_check") on the page that lets my customers place a new order so their session still current but that var no longer exists.

I don't know if this is the most efficient way but it seems to work so far.

Josh