Three Common Ways to Prevent Double Submits
- #Security
- #CSRF
- #Best Practices
- #UI/UX
- 2018/09/25
Three classic countermeasures
- PRG pattern (Post/Redirect/Get) – When form data is posted, immediately issue a redirect and return a GET response. Even if the user double-clicks, the redirect prevents the same POST from being processed twice.
- Tokens – Include a random value (e.g., hidden input or parameter) keyed to each form submission. If the user submits twice, the server detects the duplicated token and rejects it. You need proper error handling.
- Disable the submit button with JavaScript – On the first click, disable the button so it cannot be clicked again. Because users can disable JS on the client, do not rely on this alone.
Damage caused by double submits
- Duplicate rows inserted into the DB
- Data inconsistencies
- Potential security issues if attackers exploit the behavior
Typical triggers
- Double-clicking the submit button
- Reloading the page (F5, Cmd/Ctrl+R)
- Going back (Alt + ←) and resubmitting
- CSRF attacks that force the same request
Closing
These are the countermeasures I see most often.
Share:
X (Twitter)