Stop Refresh and Back Button

NZ_Kiwis

I've got a site which has forms, one submit it goes to whatever_submit.php where it does it's thing, add, deletes updates a database and at the bottom it has

header("LOCATION: index.php")

How can i stop a user going "back" so it adds something to my database again and again, i know some javascript can block the back button on some browsers but this isn't a good way of stopping it.

Is there a code way I can make the page redirect if it's not the first time the page is submitted.

dagon

common solutions would be seesions or checking the data is not a duplicate.

NZ_Kiwis

Duplicated data would work but some rows maybe the same - crazy but given my project it's possible.

How would sessions do it?

bradgrafelman

Using sessions, you could do something like the following:

User requests the form page. Generate some token ([man]uniqid/man, anything really) and store it in the session. Include this token as a hidden input in the form.
Upon submission of a form, check for this token in the session and make sure the value matches that which was POST'ed with the data. If it does, process the form as usual.

If it does not, don't process the form and assume that either an error occured or the user had attempted to refresh the form processing page without actually going back and re-submitting the form all over again.
Unset the token previously set. If the user visits the page that displays the form again, start over at step #1.

NZ_Kiwis

bradgrafelman;10983060 wrote:
Using sessions, you could do something like the following:

User requests the form page. Generate some token ([man]uniqid/man, anything really) and store it in the session. Include this token as a hidden input in the form.

Upon submission of a form, check for this token in the session and make sure the value matches that which was POST'ed with the data. If it does, process the form as usual.

If it does not, don't process the form and assume that either an error occured or the user had attempted to refresh the form processing page without actually going back and re-submitting the form all over again.

Unset the token previously set. If the user visits the page that displays the form again, start over at step #1.

Arr so upon loading my_edit_page.php I give a token, check the token on my_form_submit.php and then once back at index.php give myself a new token.

If I go "back" my token will be different?

is this what you mean?

traq

if the user goes Back, their re-submitted token will be the same - but you will have already changed/deleted yours, so they won't match and your script can ignore the duplicate submission.

NZ_Kiwis

Wont it cache the token and a refresh will not pick up the new one??

bradgrafelman

NZ_Kiwis;10983102 wrote:
Wont it cache the token and a refresh will not pick up the new one??

Yes, that's the whole point of doing it... hence how you would know to reject it as a duplicate submission instead of processing it.

NZ_Kiwis

So now i'm lost, i'm saying it will cache my token this meaning the whole idea will not work.
is that what you are saying?

johanafm

It will, but your session variable 'token' will have changed...

if ($_POST['token'] != $_SESSION['token'])
{
   # page reload or some such
}
else
{
  # handle post
}

But, do note that by using a post token, if have one page open with a form on it and then opens a new tab, which I commonly do using ctrl-click / command-click, and the scond page also contains a form, then I will no longer be able to use the form on the first page. Moreover, I will not know this until I filled out the form and hit submit.
So you may want to extend this idea using one token per form, rather than one token for the entire site.

Also note that the location header takes a full absolute url, not a relative one. I.e. it always starts with protocol, followed by domain: http://example.com/index.php.

vivekgg7

i am facing some problem in php code

vivekgg7

i am facing some problem in php code