Page 2 of 2

Posted: Mon Jan 23, 2006 11:31 pm
by d3ad1ysp0rk
That's very weird. I can see maybe the browser messing up and keeping the post data alive, but it wouldn't do anything because it would be posting it to the success.php page. Are you sure you were using a 3-page system and not a all-in-one or two page system?

Posted: Tue Jan 24, 2006 8:13 am
by duk
but im wrong or if you do a check first, like every form you need a check if a user with that name already exist... right ???

so if you do that... how refreshing will inserting the same DATA to the database... im not getting the point from some ppl here saying that refreshing will duplicate entrys in DB..

this POST was mine, but i was referring other stuff, as when you do back in the browser he ask you to post again data, what i need was, try to clear the buffer becouse all POST data was inserted into SESSIONS vars and i dont need again to post DATA again... but when i go back all forms will have the data that have been sent, becouse every data is now in SESSION vars, its why i dont want to the browser when i do back to send again POSTDATA... but anyway i think i dont need more to clear the POSTDATA...

Posted: Tue Jan 24, 2006 8:46 am
by Maugrim_The_Reaper
Problem is you can't tell the browser what to do. What if a rogue site was allowed that privelege? Where do you draw the line for what a server can tell a user's browser to do?

The idea of a form token is probably most workable - its unique, can only be used once. Its also a useful practice to use on any form to prevent CSRF (Cross Site Request Forgeries) as described by Chris over on http://shiflett.org/articles/security-corner-dec2004 .

That way you can have some standard method of preventing postdata refreshes which are unintentional (or the result of forgeries). No DB required... Even helps against multiple submissions.

The key to a useable system as above (keeping in mind most invalid tokens are probably unintentional user errors) or the one Roja described elsewhere for this scenario - is to ensure it allows a redirect to a safe page. One which requires no form submission (could even be the same page if form validation is triggered by a specific POST value).

Posted: Tue Jan 24, 2006 9:20 am
by Roja
Post-Redirect-Get pattern.

Solves the issues mentioned.