Daniel Brown wrote:
On Wed, Mar 19, 2008 at 12:01 PM, Eric Butera <eric.butera@xxxxxxxxx> wrote:
Unique form tokens.
Generate a token when the form is displayed and save that value in the session.
Then on post check it and remove it. Then if they re-submit it will
not exist therefore be invalid.
I like Eric's method better than the timestamp method I proposed.
Much cleaner and easier to institute, and I'd hazard a guess at it
being more reliable as well.
The initial problem that I see with it would be that if the user clicks the
submit button a second time, the first transaction is canceled. If the process
takes a long time, maybe the time period for the server to get the approval has
already passed, but the server is still doing stuff but not redirected the
person to the success page. At this point, the user has purchased the item
successfully, but they did see the success page. So they repeat the process,
over and over and over...
That is a situation that I can envision at least.
My suggestion would be to disable the submit button. This would prevent the
first transaction from being killed prematurely.
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
