I was wondering if the Pay module offers any protection against double clicking (leading to duplicate transactions). Looking at form_submit() in includes/handlers/pay_form.inc I can see it unsets $form_state['rebuild'] and $form_state['storage'] but not entirely sure if that is a double-click prevention method or not, is it?

Comments

yeagermiester’s picture

@stella

At least in practice, our implementation is vulnerable to double-clicking. We've had to do one refund already after having been in production for a week.

pillarsdotnet’s picture

Could set a session variable in the form and check/clear it on submit.