Expire form page after submitted if user attempts to go back

frshjb373

I have a form, that upon submission creates a return shipping label automatically. To avoid users going back and attempting to resubmit the form (which will thereby run the script to create another shipping label), I'd like to figure out a way to completely expire that form page...or redirect the user to another page if going back.

Any advice or resources would be much appreciated. Thanks!

traq

use a token.

when you generate the form, send along a nonce (unique, random value) in a hidden form field.

Keep track of the token server-side (typically in $_SESSION).
when the form is submitted, check the token. The token must:
-- be the same token you sent
-- not have been submitted yet (see below)

3a. if both conditions are met, save the token in a list (also usually in your $_SESSION) of USED tokens.
Process the form.

3b. if both conditions are not met, then you know that one of two things is happening:
-- if the token is missing or mismatched, then it's likely a forged form submission (or possibly from an expired session).
-- if the token is already used, then it's likely that the user clicked [submit] twice, and/or backed over the page again.
Either way, don't process the form.

frshjb373

So at this point, all I've done is added the following code to my form page:

<?php 
	$id = uniqid();
	$_SESSION['id'] = $id;
?>

<input type="hidden" name="id" value="<?php echo $id; ?>">

And the following code to my process page:

<?php
$_SESSION['id'];
?>

Not quite sure how to "check the token" as you have suggested, but it appears at this point, what I have done creates an expired page when going back in both Firefox and Chrome. Am I missing something, or I have I done this correctly? Thank you for the help!!

bradgrafelman

frshjb373;11012629 wrote:
Not quite sure how to "check the token" as you have suggested

The same way you'd check any pair of strings for equality.

frshjb373;11012629 wrote:
have I done this correctly?

If we're going off of traq's itemized list above, then you've only implemented #1; items #2 and both parts of #3 are completely unimplemented thus far.

Also note that you could simplify the model suggested in traq's post above if you don't care to differentiate between a "forged form submission" or a duplicate submission. If that's the case, you can get rid of history of nonce values and simply keep track of the most recently generated value. When the form is submitted, you'd check to see if the values match and, if they do, process the data (and destroy/alter the nonce value stored on the server).

bradgrafelman

frshjb373;11012629 wrote:
Not quite sure how to "check the token" as you have suggested

The same way you'd check any pair of strings for equality.

frshjb373;11012629 wrote:
have I done this correctly?

If we're going off of traq's itemized list above, then you've only implemented #1; items #2 and both parts of #3 are completely unimplemented thus far.

frshjb373

I appreciate your help! Here's what I came up with:

On the form page I have the following...

<?php
                // Start session
                session_start();
		$id = uniqid();
		$_SESSION['id'] = $id;
?>

Along with the hidden token to send to the process script...

<input type="hidden" name="id" value="<?php echo $id; ?>">

On the process page, I have the following to check the post id against the session id/token:

<?php
// Start session
session_start();

// Check the token to see if they match
if(isset($_POST['submit']) && $_POST['id'] == $_SESSION['id']) {
        header("Location: ../offerform-thanks.php"); 
} else {
        header("Location: ../offerform-expired.php"); 
}

// Invalidate the id/token so it expires
unset($_SESSION['id']);
?>

I feel like I'm getting close. But I have headers for both of the if statements, but the form is still processed for both if statements. Not quite sure how to not process a form as Traq had suggested. Am I on the right track at this point? I'm not a fast learner, but I'll get it. Thanks again for your help!

Derokorian

I think your problem comes with the fact that you are unsetting AFTER calling header, which means that code should not, theoretically, ever be executed so you never unset the $_SESSION['id'] try adding it before the header and after the check.

bradgrafelman

Derokorian;11012747 wrote:
I think your problem comes with the fact that you are unsetting AFTER calling header, which means that code should not, theoretically, ever be executed

Why would you say that? I don't see anything that would prevent the rest of the code to be executed.

Derokorian

bradgrafelman;11012761 wrote:
Why would you say that? I don't see anything that would prevent the rest of the code to be executed.

I said that because I work in another language 9-10 hrs a day now, and forgot that header('Location: url') doesn't stop execution like Response.Redirect(url). (yes I just openly admitted I fail)

bradgrafelman

Derokorian;11012801 wrote:
(yes I just openly admitted I fail)

Indeed, only because you revealed that the "[other] language" is ASP!

Derokorian

Actually its VB.NET but yeah close enough 😛

Sometimes you take what you can get, as someone with no formal training and my only experience being my personal projects and a couple paid projects there aren't a lot of options available. However some experience working in a team environment should help. I do prefer php to vb/c# (the languages we work in here) trust me on that.

traq

frshjb373;11012745 wrote:
<?php
// Start session
session_start();

// Check the token to see if they match
if(isset($_POST['submit']) && $_POST['id'] == $_SESSION['id']) {
        header("Location: ../offerform-thanks.php"); 
} else {
        header("Location: ../offerform-expired.php"); 
}

// Invalidate the id/token so it expires
unset($_SESSION['id']);
?>	
I feel like I'm getting close. But I have headers for both of the if statements, but the form is still processed for both if statements...

Is you form processing code located in [font=monospace]offerform-thanks.php[/font]?

A few other thoughts:

[font=monospace]if(isset($POST['submit']) && $POST['id'] == $_SESSION['id'])[/font]

why check if "submit" is set? does it matter?
the variable you're going to use is "id" - if "submit" is set and "id" is not, you'll get an error.
besides, "id" comes from the form, so it is just as good an indication that the form was submitted.

[font=monospace]header("Location: ../offerform-thanks.php");[/font]

header() expects a fully qualified URL (e.g., http://example.com/offerform.php).
this may or may not actually cause any problems now, or later, but it can.

Derokorian wrote:
I think your problem comes with the fact that you are unsetting AFTER calling header, which means that code should not, theoretically, ever be executed

bradgrafelman wrote:
Why would you say that? I don't see anything that would prevent the rest of the code to be executed.

how consistent is this behavior? I know it is correct for a script to continue execution after a redirection via header(), but I seem to remember hearing|reading that it's not necessarily reliable...?

bradgrafelman

traq;11012841 wrote:
I seem to remember hearing|reading that it's not necessarily reliable...?

You must not have been reading about PHP, because PHP doesn't flip a coin for every situation in order to decide whether or not it will execute in a deterministic fashion. 😉

frshjb373

traq;11012841 wrote:
header() expects a fully qualified URL (e.g., http://example.com/offerform.php).
this may or may not actually cause any problems now, or later, but it can.

how consistent is this behavior? I know it is correct for a script to continue execution after a redirection via header(), but I seem to remember hearing|reading that it's not necessarily reliable...?

I think you're probably right about that...behavior has been somewhat inconsistent. It was working fine at one point, but then my headers stopped working...but it didn't work either with a fully qualified url. I did some searching and found that if add

ob_start("ob_gzhandler");

after

session_start();

it seems to execute without further errors.

I can definitely change the header to qualified URLS, however. I think at this point I have figured everything out. Thank you traq and bradgrafelman for all your help.

Cheers.

Weedpacket

bradgrafelman;11012843 wrote:
You must not have been reading about PHP, because PHP doesn't flip a coin for every situation in order to decide whether or not it will execute in a deterministic fashion. 😉

What might happen is that the client gets the 302 response and immediately makes a new request, without waiting for the rest of the response (the standard doesn't REQUIRE the client to use the body of a 302 response, but does say the server SHOULD supply one!). If there is sufficient processing after the [man]header[/man] call, and [man]ignore_user_abort[/man] is off (which it is by default), the script might be terminated early, when it tries to write some output and finds the client has gone away.

bradgrafelman

Agreed, however:

Weedpacket;11012847 wrote:
If there is sufficient processing after the [man]header[/man] call

There isn't.

Weedpacket;11012847 wrote:
when it tries to write some output

It doesn't.

Bonesnap

frshjb373;11012745 wrote:
On the process page, I have the following to check the post id against the session id/token:
<?php
// Start session
session_start();

// Check the token to see if they match
if(isset($_POST['submit']) && $_POST['id'] == $_SESSION['id']) {
        header("Location: ../offerform-thanks.php"); 
} else {
        header("Location: ../offerform-expired.php"); 
}

// Invalidate the id/token so it expires
unset($_SESSION['id']);
?>	
I feel like I'm getting close. But I have headers for both of the if statements, but the form is still processed for both if statements.

That's because the header() function doesn't stop execution, even though it's perceived to be. The rest of the code after the header() functions is actually still executed.

What you need to add is the exit statement right after the header() functions like this:

if(isset($_POST['submit']) && $_POST['id'] == $_SESSION['id']) {
        header("Location: ../offerform-thanks.php"); 
        exit;
} else {
        header("Location: ../offerform-expired.php"); 
        exit;
}

This will end execution of the current script and then your header function will perform the redirect.