By using this site you agree to the use of cookies by Brugbart and our partners.

Learn more

Preventing double form submissions

In this article i focus on the security of HTTP requests, and primarily the submission of HTML forms.

Edited: 2014-12-27 19:16

By. BlueBoden

A not so obvious problem, which is most likely to occur for less experienced web developers, is the issues surrounding duplicated HTTP POST request. Typically sent as a result of users hitting the browser back button, or browser update button, after submitting a form from a web page.

You can prevent many such requests with JavaScript, by disabling the submit control in the HTML form, imminently after it has been clicked. This is however not a reliable way to prevent duplicated posts, unless your application is dependent on JavaScript to function properly. But even then, a malicious user might still get the idea, to try and spam your application with constructed post requests – so there is really no way around creating some server-sided checks.

Preventing double submits with JavaScript

This should only be done with performance in mind, as it will only prevent double submits originating from from your website – but this dose still save some server processing.

The optimization is of course insignificant, in that very few people will be hammering the submit button – but it may still prevent some malicious or malfunctioning scripts from running against your site, and as such save you some processing power.

JavaScript validation should never be used to replace server-sided validation, since a malicious user can easily send constructed HTTP requests, from outside of the browser.

Do not obsess about including JavaScript optimizations to your CMS, the only people who should consider this, are the big boys on the internet, like Google and Facebook, since they handle a humongous amount of HTTP requests.

Preventing double form posts from the server

If you are using a server-sided scripting language, such as PHP, then you can easily prevent all these posts, by saving each post-request in a database table, using a PHP Time value as the unique id.

To catch all POST Requests made to your Application, you could include something like the below, in the top of your PHP script.


  // Query the database with an INSERT
  // And handle potential ON DUPLICATE KEY ERROR

  // $query = query("....");

  if(!$query) {
   echo 'That request has already been sent!';
   header('HTTP/1.1 403 Forbidden');


You would likely want to show the error in a HTML template, if you really care about the quality of your site CMS, but its not really necessary.

Using server-sided checks to prevent crazy behavior

What i define as crazy behavior, is typically anything from scripts, bots and hackers, to the normal user who misbehaves by sending your application weird HTTP requests.

Many web developers do not realize, that a lot of attacks on their applications, can be entirely prevented, by catching and analyzing weird HTTP requests, and responding properly to them.

For instance, there is no reason why someone would request non-existing admin pages on your site, and as such, requests coming from such ips, can be safely blocked temporarily, to save server resources.