On Thu, Sep 21, 2006 at 05:04:38PM -0500, [EMAIL PROTECTED] wrote: > But why are you returning an error page, doesn't the fact that the token > no longer is valid mean that the form has already been submitted (return a > oops this form has already been submitted page)?
The token is still valid. The test for the token and its update are not atomic, so a second request can get in before the session is updated to reflect that the token is invalid. It's a race condition. So, it would be helpful to move to a token system where the test and invalidation are atomic (like storing the token in the database and checking rows deleted). If I submit a form and wait, then reload then, yes, it will tell me the form can't be posted because the token is no longer valid. But, by double post, I mean a double-click on the submit button. It's submitting the request, then quickly submitting the same request again. In that case even returning "oops, page already submitted" still means the first request (of a double-post) was processed and the user sees no output from that first request. I see no way around that, except the sick idea below. If you hit submit and then close your browser you get basically the same result -- don't see the response. > > My code now detects that something doesn't quite make sense and gives > > a slightly smarter message. But, it's not always easy to see a > > request and know that it's already happened vs. just is not in a > > state where that kind of request is allowed. > > Does the plugin actually lose its state without a submission? (even if you > go to another section of website on the same session...) The token is stored in the session. So all that happens is upon submission a check is made that the token exists in the form and it matches the current one stored in the session. If so, it is deleted. When a new form is created a new token is created. Someone can't really have two windows open at the same time. I think I'll move to a system of storing the tokens in the database and then it's one token per form and can only be used for one submission. And use cron to remove old tokens. I could be crazy and store the output from first form posting in the database and then if another form is posted with that same token just redisplay the original page's output. That sounds like trouble. Geeze, if people double click on submit buttons and can get past the javascript then they get what they deserve. ;) -- Bill Moseley [EMAIL PROTECTED] _______________________________________________ List: [email protected] Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
