Re: ASP.NET 101 - How to prevent double-clicking on a submit button?

[Michael Minutillo]

If you're using jquery you can drop this in a master page:

$(document).ready(function() {
  $('form').submit(function(e) {
$(e.target).find('input[type=submit]').attr('disabled', 'true');
  }
});

Now any form that gets submitted, it's submit button will get disabled
immediately. We use a similar technique currently to turn the button into a
wait icon and to overlay a mask on the form


Michael M. Minutillo
Indiscriminate Information Sponge
Blog: http://wolfbyte-net.blogspot.com


On Fri, Jul 30, 2010 at 7:13 AM, David Connors  wrote:

> On 30 July 2010 08:54, Dylan Tusler  > wrote:
>
>>  At first I thought you were pulling a Friday funny on me.
>>
>
> I get that a lot. :)
>
>
>> But I do see your point, having properly read your post now.
>>
>
> I don't get that a lot.
>
>
>> I think, in our case, the web form is a very long way away from the
>> database, and after submission we go through a few human workflow steps
>> involving assessing and validating the submissions before it gets anywhere
>> near our DB, so I might just stick with JavaScript for the moment.
>> Double-submission is more of an annoyance than a peril in our situation.
>>
>> Here's what I've gone with (because I lurve C# and hate JavaScript)
>>
>> btnSubmit.Attributes.Add("onclick", "this.disabled=true;");
>>
>> in the form OnLoad.
>>
>
> If you're writing an intranet app (I kind of get the feeling you are) then
> it probably isn't so much of an issue because you have a support
> relationship with your users + known platform/security policy. If you're
> writing something facing the Internet, especially e-commerce, then I
> wouldn't be writing anything that depends on script at all (unless you want
> to lose a large single digit percentage of users/sales and a chunk of the
> public sector).
>
> Every time I see a javascript pop up like "YOUR TRANSACTION WILL TAKE 45
> SECONDS TO PROCESS - DO NOT CLICK SUBMIT AGAIN" my inner child software
> engineer cries.
>
> David.
>
> --
> *David Connors* | da...@codify.com | www.codify.com
> Software Engineer
> Codify Pty Ltd
> Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417
> 189 363
> V-Card: https://www.codify.com/cards/davidconnors
> Address Info: https://www.codify.com/contact
>
>

RE: ASP.NET 101 - How to prevent double-clicking on a submit button?

[silky]

> At first I thought you were pulling a Friday funny on me.
>
> But I do see your point, having properly read your post now.
>
> I think, in our case, the web form is a very long way away from the database, 
> and after submission
> we go through a few human workflow steps involving assessing and validating 
> the submissions
> before it gets anywhere near our DB, so I might just stick with JavaScript 
> for the moment.
> Double-submission is more of an annoyance than a peril in our situation.
>
> Here's what I've gone with (because I lurve C# and hate JavaScript)
>
> btnSubmit.Attributes.Add("onclick", "this.disabled=true;");
>
> in the form OnLoad.

Please don't do this. The most obvious reason is that if someone
presses escape while the form is loading it's still stuck. There are
more reasons (it doesn't work if JavaScript doesn't work, and so on).

My current approach, is, assuming you allow sessions, a token in the
page. You set the token on load, and in the session. When the page is
posted, you check that the last submitted token matches the next
expected token. If it doesn't match, it's a double-submit (or,
significantly less likely, could indicate a CSRF attack
(http://en.wikipedia.org/wiki/Cross-site_request_forgery)). If it does
match, immediately set the next token to be a new token, and then
carry on processing.

Microsoft's MVC framework has an inbuilt approach to this, described
here (first link I found:
http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/)


> Dylan.

-- 
silky

Every morning when I wake up, I experience an exquisite joy — the joy
of being this signature.

Re: ASP.NET 101 - How to prevent double-clicking on a submit button?

[David Connors]

On 30 July 2010 08:54, Dylan Tusler
wrote:

>  At first I thought you were pulling a Friday funny on me.
>

I get that a lot. :)


> But I do see your point, having properly read your post now.
>

I don't get that a lot.


> I think, in our case, the web form is a very long way away from the
> database, and after submission we go through a few human workflow steps
> involving assessing and validating the submissions before it gets anywhere
> near our DB, so I might just stick with JavaScript for the moment.
> Double-submission is more of an annoyance than a peril in our situation.
>
> Here's what I've gone with (because I lurve C# and hate JavaScript)
>
> btnSubmit.Attributes.Add("onclick", "this.disabled=true;");
>
> in the form OnLoad.
>

If you're writing an intranet app (I kind of get the feeling you are) then
it probably isn't so much of an issue because you have a support
relationship with your users + known platform/security policy. If you're
writing something facing the Internet, especially e-commerce, then I
wouldn't be writing anything that depends on script at all (unless you want
to lose a large single digit percentage of users/sales and a chunk of the
public sector).

Every time I see a javascript pop up like "YOUR TRANSACTION WILL TAKE 45
SECONDS TO PROCESS - DO NOT CLICK SUBMIT AGAIN" my inner child software
engineer cries.

David.

-- 
*David Connors* | da...@codify.com | www.codify.com
Software Engineer
Codify Pty Ltd
Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417
189 363
V-Card: https://www.codify.com/cards/davidconnors
Address Info: https://www.codify.com/contact

RE: ASP.NET 101 - How to prevent double-clicking on a submit button?

[Dylan Tusler]

At first I thought you were pulling a Friday funny on me.

But I do see your point, having properly read your post now.

I think, in our case, the web form is a very long way away from the database, 
and after submission we go through a few human workflow steps involving 
assessing and validating the submissions before it gets anywhere near our DB, 
so I might just stick with JavaScript for the moment. Double-submission is more 
of an annoyance than a peril in our situation.

Here's what I've gone with (because I lurve C# and hate JavaScript)

btnSubmit.Attributes.Add("onclick", "this.disabled=true;");

in the form OnLoad.

Dylan.



From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On 
Behalf Of David Connors
Sent: Friday, 30 July 2010 8:44 AM
To: ozDotNet
Subject: Re: ASP.NET 101 - How to prevent double-clicking on a submit button?

On 30 July 2010 08:37, Dylan Tusler 
mailto:dylan.tus...@sunshinecoast.qld.gov.au>>
 wrote:
We've got an Ajax-ified multi-page form and I want to prevent double-clicking 
on the final page's Submit button. My first thought is just to disable the 
button in its on_Click event handler. Is this a suitable approach?

No. It might give you a perfunctory guard against a double-submission in the UI 
layer but, with the web being what it is, you cannot guarantee it won't be 
submitted twice.

I've looked around a little, trying to see what is the best approach to prevent 
someone from clicking twice (or more) on a submit button, but there seems to be 
a wide variety of methods to choose from, many involving JavaScript, or css, 
and so on. None of them seem simple enough to risk experimenting with.

The approach we always apply is:

 1.  Create a table in your DB, two columns, one being called DoubleSubmitGuard 
(GUID) and the other being DateTimeSubmittedUTC (Date/time).
 2.  At the time you generate the form, roll a new GUID, put it in that table, 
and also embed it in the form.
 3.  As a part of the form submission process, check that DateTimeSubmittedUTC 
is null, then do your normal work, and at the end of the transaction set the 
DateTimeSubmittedUTC to mark the form as submitted.
 4.  Optionally you can display something to the user along the lines of "This 
form has already been submitted" if they click submit twice.

Also disable the submit button as well if you want to improve the user 
experience, but I would not be using the disabling of UI elements to 
effectively implement the integrity if your database.

David.

--
David Connors | da...@codify.com<mailto:da...@codify.com> | 
www.codify.com<http://www.codify.com>
Software Engineer
Codify Pty Ltd
Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417 189 
363
V-Card: https://www.codify.com/cards/davidconnors
Address Info: https://www.codify.com/contact


-
To find out more about the Sunshine Coast Regional Council, visit your local 
office at Caloundra, Maroochydore, Nambour or Tewantin or visit us online at 
www.sunshinecoast.qld.gov.au.  If correspondence includes personal information, 
please refer to Council's Privacy Policy at http://www.sunshinecoast.qld.gov.au 
.

This email and any attachments are confidential and only for the use of the 
addressee.  If you have received this email in error you are requested to 
notify the sender by return email or contact council on 1300 00 7272 and are 
prohibited from forwarding, printing, copying or using it in anyway, in whole 
or part. Please note that some council staff utilise Blackberry devices, which 
results in information being transmitted overseas prior to delivery of any 
communication to the device.  In sending an email to Council you are agreeing 
that the content of your email may be transmitted overseas. Any views expressed 
in this email are the author's, except where the email makes it clear 
otherwise. The unauthorised publication of an email and any attachments 
generated for the official functions of council is strictly prohibited. Please 
note that council is subject to the Right to Information Act 2009 (Qld) and 
Information Privacy Act 2009 (Qld).

Re: ASP.NET 101 - How to prevent double-clicking on a submit button?

[David Connors]

On 30 July 2010 08:37, Dylan Tusler
wrote:

> We've got an Ajax-ified multi-page form and I want to prevent
> double-clicking on the final page's Submit button. My first thought is just
> to disable the button in its on_Click event handler. Is this a suitable
> approach?
>

No. It might give you a perfunctory guard against a double-submission in the
UI layer but, with the web being what it is, you cannot guarantee it won't
be submitted twice.


> I've looked around a little, trying to see what is the best approach to
> prevent someone from clicking twice (or more) on a submit button, but there
> seems to be a wide variety of methods to choose from, many involving
> JavaScript, or css, and so on. None of them seem simple enough to risk
> experimenting with.
>

The approach we always apply is:

   1. Create a table in your DB, two columns, one being called
   DoubleSubmitGuard (GUID) and the other being DateTimeSubmittedUTC
   (Date/time).
   2. At the time you generate the form, roll a new GUID, put it in that
   table, and also embed it in the form.
   3. As a part of the form submission process, check that
   DateTimeSubmittedUTC is null, then do your normal work, and at the end of
   the transaction set the DateTimeSubmittedUTC to mark the form as submitted.
   4. Optionally you can display something to the user along the lines of
   "This form has already been submitted" if they click submit twice.

Also disable the submit button as well if you want to improve the user
experience, but I would not be using the disabling of UI elements to
effectively implement the integrity if your database.

David.

-- 
*David Connors* | da...@codify.com | www.codify.com
Software Engineer
Codify Pty Ltd
Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417
189 363
V-Card: https://www.codify.com/cards/davidconnors
Address Info: https://www.codify.com/contact

Re: ASP.NET 101 - How to prevent double-clicking on a submit button?

[Grant Maw]

We've always done it by using javascript, and disabling the button as you've
described.

HTH

Grant

On 30 July 2010 08:37, Dylan Tusler
wrote:

> __
> [image: Sunshine Coast Regional Council]
>
> We've got an Ajax-ified multi-page form and I want to prevent
> double-clicking on the final page's Submit button. My first thought is just
> to disable the button in its on_Click event handler. Is this a suitable
> approach?
>
> I've looked around a little, trying to see what is the best approach to
> prevent someone from clicking twice (or more) on a submit button, but there
> seems to be a wide variety of methods to choose from, many involving
> JavaScript, or css, and so on. None of them seem simple enough to risk
> experimenting with.
>
> Dylan Tusler
>
>
>
> --
> To find out more about the Sunshine Coast Regional Council, visit your
> local office at Caloundra, Maroochydore, Nambour or Tewantin or visit us
> online at www.sunshinecoast.qld.gov.au.  If correspondence includes
> personal information, please refer to Council's Privacy 
> Policy
> .
>
> This email and any attachments are confidential and only for the use of the
> addressee.  If you have received this email in error you are requested to
> notify the sender by return email or contact council on 1300 00 7272 and are
> prohibited from forwarding, printing, copying or using it in anyway, in
> whole or part. Please note that some council staff utilise Blackberry
> devices, which results in information being transmitted overseas prior to
> delivery of any communication to the device. In sending an email to Council
> you are agreeing that the content of your email may be transmitted overseas.
> Any views expressed in this email are the author's, except where the email
> makes it clear otherwise. The unauthorised publication of an email and any
> attachments generated for the official functions of council is strictly
> prohibited. Please note that council is subject to the Right to Information
> Act 2009 (Qld) and Information Privacy Act 2009 (Qld).
>