Page 1 of 1

Preventing a re-submit via browser's Refresh button

Posted: Tue Dec 16, 2003 4:15 pm
by Jean-Yves
I have an online game site which is in beta testing at the moment. One of the testers has come up with a whole bunch of exploits that I am slowly getting around to fixing.

Here's one that is really annoying me, as I'm sure that the answer is very simple, but for some reason I can't see it :(

I have a "Move" button that is of type "submit". On submit, it calls the current page, and it uses some post vars to adjust the game view. The move button is disabled using PHP under certain conditions, such as when the character has run out of energy or an impassable terrain type is directly ahead

However, when the page is reloading, if a player clicks the refresh button quickly enough, the form is re-submitted irrespective of whether they have clicked or not, so they can move again even if exhausted or going into unsuitable terrain.

I hold the current characters details in a PHP object held as a session variable, and the back-end is MySQL. Each character has a unique record which is used to populate the session variable.

Does anyone know how I could stop the refresh button from resubmitting the form if the player has not clicked the Move submit button? The beta testers are having a field day cheating against one another, and I want to stop them asap ;)

Many thanks

Posted: Tue Dec 16, 2003 4:38 pm
by microthick
Instead of just letting the page display as normal after you've processed the MOVE code, do a redirect back to the same page, so that if they press refresh, it just refreshes the new page that has no post data to worry about.

Posted: Tue Dec 16, 2003 4:53 pm
by Jean-Yves
Doh! I knew it was simple! Honestly, sometimes I wonder whether I remembered to switch my brain on in the morning :)

Thanks very much for the solution.

Posted: Tue Dec 16, 2003 5:04 pm
by microthick
Only problem is that they could press BACK until they return to that old page and possibly refresh it. Dunno if your code will allow that to happen.

If that can happen, there's some meta tag attribute called pragma-control or something that instantly renders old post data void.