Page 1 of 1

Back Button Hell

Posted: Wed Dec 01, 2004 9:50 am
by neophyte
Okay were coding a donations page. We want to make sure the form cannot be resubmitted with either the back arrow or the refresh button so people don't accidently charge themselves twice. How can I prevent this phenomenon? I've read on the forums several suggestions including making cache private, using the get method in the form. What's the best way to do this?

Thanks

Posted: Wed Dec 01, 2004 10:18 am
by xisle
Just a suggestion, for the donation form you could disable the button and submit with javascript.

Code: Select all

<SCRIPT LANGUAGE=JavaScript>
function disableButton(btn)
&#123;
	btn.disabled = true;
	document.formname.submit();
&#125;
</SCRIPT>

<input type="button" value="save" onclick="javascript: return disableButton(this);">

Posted: Wed Dec 01, 2004 10:47 am
by neophyte
Thanks for the reply xisle. Is there a way that you can clear the form after the submission so that hitting the back button would send them to an empty form? I wasn't able to get the back button disabled. But the form submitted so I have to assume the JS executed...

Posted: Wed Dec 01, 2004 11:19 am
by neophyte
Well I added a reset() after the submission process and that clears the form. So even if they do hit the back button they won't find their data.

Code: Select all

<SCRIPT LANGUAGE=JavaScript>
function disableButton(btn)
&#123;
   btn.disabled = true;
   document.formname.submit();
   document.formname.reset();
&#125;
</SCRIPT>

Posted: Wed Dec 01, 2004 11:52 am
by rehfeld
i would do it serverside, in case they have js disabled. your collecting the info serverside anyway, so its really just 1 more small step.

Code: Select all

<?php

session_start();

if (form submitted, form complete, and acceptable) {
    if (empty($_SESSION['form_accepted'])) {
        // accept it, process it, send emails etc.....
        $_SESSION['form_accepted'] = true;
    } else {
        echo 'you already submitted the form';
    }

}


// theres also a variation of the cache-control header that you might find usefull.
// i would not depend on it though for this purpose

header('Cache-Control: Private, Must-Revalidate');

// the browser will check w/ the server and ask if the document has changed. it will only re-download the page if it has changed.
?>

Posted: Wed Dec 01, 2004 1:34 pm
by Archy
You could also, once the transaction has taken place, clear the variables that were stored; this would mean that a refresh would not work. So that you dont come up with an error, you could use a simple if statement to check that the variables actually contain data. If not, then dont let the transaction take place, and display a message saying that they have already donated.

Need to stop people pressing the back button? Not an ideal solution, but perhaps when submitted, open the page in a new window where it then does the transaction. Therefor people cannot press the back button.

Ofcourse, none of these are probably ideal solutions.

Posted: Wed Dec 01, 2004 3:35 pm
by neophyte
I think were going to do a combo solution. Use the JS to clear the form after its submitted and use sessions or cookies to prevent them from returning.

Thanks all!!!!!