[Medusa-dev] Quixote Submit button and browser Back button

Phillip Pearson pp at myelin.co.nz
Wed Aug 10 08:05:39 CEST 2005 

A good trick is to make the page that accepts the form return a 302
redirect to somewhere.  This makes the form submission disappear from
the 'back' history, and means that if someone hits the refresh button,
the form doesn't get submitted again.  These are the two big problems.

I'm not sure if that made sense, so here's an example:

You have a weblog comments page, /comments.  Someone enters a comment
in the form, then clicks "POST".  The browser POSTs the form to
/new-comment, which saves it in the database then returns a 302
redirect to /comments.  The browser picks this up and displays the
/comments page rather than /new-comment.

This is something that pretty much every well-written web app
does... it's really worthwhile.

Cheers,
Phil :)

On Mon, Jul 18, 2005 at 03:07:20PM +0200, Harald Armin Massa wrote:
> Eduardo,
> 
> isn't this THE usual problem with Web-Apps? :)
> 
> You want to be sure that ONE PARTICULAR FORM only gets submitted once.
> 
> So, make this form unique:
> 
> add a HIDDEN input with a UNIQUE GUID (windows has a GUID in his API, there 
> are MILLIONS of receipts out there, a MD5 of the current time.time() is 
> quite fair)
> 
> when logging Info to database, store this guid. If a form with the same guid 
> is submitted, reject that information
> 
> Add timeouts as appropriate (for example, each GUID is only valid for 0,5 
> hours)
> 
> Harald
> 
> 
> 2005/7/15, Eduardo Biano <edbiano at rocketmail.com>:
> > 
> > Hi,
> > 
> > I am a Medusa and Quixote newbie, hacked the Quixote
> > demo and created a small app. The app authenticates
> > users, displays a form which users can fill and
> > submit using a Submit button. It updates a database
> > and then displays the home page.
> > 
> > My problem is, when the home page is displayed and i
> > hit the browser Back button the same form is displayed
> > with all the information of the previous entry. And
> > when i hit the Submit button it again updates the
> > database.
> > 
> > I would like to have the form page expired or any
> > other solution you can suggest so that users cannot
> > submit the form again without being authenticated. I
> > read about _q_access and session but i cannot figure
> > out how to do it. I think the browser Back button
> > issue is different from the normal program flow.
> > 
> > Please give some hints and thank you in advance.
> > 
> > Cheers!
> > Ed
> > 
> > 
> > 
> > ____________________________________________________
> > Start your day with Yahoo! - make it your home page
> > http://www.yahoo.com/r/hs
> > 
> > _______________________________________________
> > Medusa-dev mailing list
> > Medusa-dev at python.org
> > http://mail.python.org/mailman/listinfo/medusa-dev
> > 
> 
> 
> 
> -- 
> GHUM Harald Massa
> persuasion python postgresql
> Harald Armin Massa
> Reinsburgstraße 202b
> 70197 Stuttgart
> 0173/9409607

> _______________________________________________
> Medusa-dev mailing list
> Medusa-dev at python.org
> http://mail.python.org/mailman/listinfo/medusa-dev

More information about the Medusa-dev mailing list