On 6/21/08, PaulCheung <[EMAIL PROTECTED]> wrote: > Hi > > Can anybody suggest a way around this problem or point me in the right > direction? > > I have a genuinely legitimate reason to disable the browser back button, or > at least the pages that have anything to do with the PHP application I am > working on. > > Here is the scenario > A user likes the on-line service provided and decides to purchase it using > one of the standard on-line payment methods, typically PayPal. > > Once payment has been made, confirmed and received, the user is directed to > an customer account creation page. Here the user enters the usual standard > account details such as Name, Address, Telephone Number, User-Id, Password > and so on. > > The application then generates an access code, which is automatically > emailed from the application to the customer. As a precaution all PHP > sessions variables are cleared, the "customer account creation page" is > cleared and the user steered away from the signup part of the application to > Google's main navigation page (this last bit being for testing purposes). > > Here in lays the problem. After initial creation of the account code and > when the back button is pressed a few times, the user eventually return to > the "customer account creation page". Which is the step immediately > following payment validation. At this point, if the customer wants to create > another new account all she or he has to do is, fill it the form once more, > press submit and another new account is created. If the user just keeps > doing this, he or she just keeps on creating new accounts. > > I have tried to disable the browser back button; but am unable to. I have > researched JavaScript solutions and learnt, if the user turns off > JavaScript, that is that.
The way this is usually dealt with is to use an HTTP redirect after the action is performed. And / or when you create a form you can add a hidden field containing a random token. The server stores a copy of the random token in the user's session. When the form is submitted, check to make sure the token matches the one in the session. If it does destroy it and perform the desired operation. Now if the user later backs into the form and submits it the token will be old and you'll know not to process the POST request action. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
