sry, for not taking part at the discussion the first time (#107358: Prevent multiple form processing: causing duplication of nodes/users), but I think there is some room to further improve it.
First of all the current implementation does only prevent duplicate submissions if the user is pressing the same button twice or more. It can be tricked by toggling between two different submit buttons. That might be also a problem, if a user changes his decision and he tries to press the other button after he has already pressed the first one - which would lead to duplicate submissions.
Furthermore the current implementation might introduce problems, if the user wants to submit the same post data twice, which might be a legitimate use case, e.g. the confirm_forms for which currently the duplication check has been turned off.
So I'd propose to adapt the current behavior of serializing and hashing $_POST to using the form build time. Attached is the patch, which does this. It's tested to work with #multistep forms (even if they submit on each step) and it also detects duplicate form submissions even with different submit buttons. It lets each generated form submit only once, which of course doesn't affect multiple opened forms!
Furthermore I think the old implementation has troubles with programmed forms, that are invoked from inside a form submit. That would avoid any detection of duplicate form submits, because the programmed form would overwrite the session data. I've fixed this also.
Patch for 6.x is attached.
In short the advantages of this approach are:
• it also detects different pressed submit buttons,
• it fixes legitimate use cases, that submit the same post data twice
• it works with embedded programmatic forms too
| Comment | File | Size | Author |
|---|---|---|---|
| #4 | duplicate_forms_5-2.patch | 2.05 KB | fago |
| #1 | drupal_duplicate_forms.patch | 3.62 KB | fago |
| drupal_duplicate_forms_6.patch | 3.6 KB | fago |
Comments
Comment #1
fagoas the code is also in 5.x, here is a patch for 5.x
Comment #2
m3avrck commentedWow this is great!!! Yes it really does improve some limitations of the current implementation. I would love to see this get into 5.x too -- since it's mostly bug fixes and better implementation.
Don't have much time to test it now but subscribing to add more thoughts later.
Comment #3
robertdouglass commentedNeeds a re-roll now that http://drupal.org/node/141636 has gone in.
Comment #4
fagook, here is a rerolled version for 5.x
I've left over the option $form['#skip_duplicate_check'] from the old (reverted) solution. But there shouldn't occur any troubles with this duplicate checks, so we could remove the option to disable it?
If preferred, I reroll it without the option.
Comment #5
robertdouglass commentedI'm changing the version of this back to 5 because the D6 version of this solution is going to be very different.
Comment #6
fagoI just recognized that this might introduce problems, if users use the back button of IE7. In this case IE7 doesn't reload the page, so the system will detect a duplicate form submission, when the user submits the form again.
So I think now this can't be solved cleanly on server side.
Comment #7
m3avrck commentedBest bet is still the JS method: http://drupal.org/node/107358#comment-487851
This will automatically be built into my new theme that is due out early Feb: http://drupal.org/project/blueprint
Comment #8
fool2 commentedI've tried to do this with JS. However, it won't work if the user disables javascript. In my case, the users are trying to glitch the system purposely so that they can get extra points. (I'm running a game on a drupal backend)
Comment #9
Traverus commentedMarked as closed (won't fix) and most new duplicates point here. Is this really never going to be fixed? It is apparently a pretty common complaint, these are the issues I found with 5 minutes of searching.
#873650: Node Submit button creates double entries if button is clicked fast
#107358: Prevent multiple form processing: causing duplication of nodes/users
#139670: skip duplicate form submits the second
#805058: Duplicate nodes created if Submit button is clicked twice in rapid succession
Comment #10
NBZ4live commentedThe problem with the duplicate form submits is a critical bug, IMHO.
If your Drupal site runs on a server with limited resources and someone wants to bring it down, he simply needs a script for automatic submit of a form like the user_profile_form and every submit will produce a lot of unnecessary DB requests. That can cause many problems with the server load.
For example if you make 30 -50 submits of the user_profile_form per second, it can kill your site. Every submit of the user_profile_form saves the Data to the DB. The same for comment edit forms or what ever edit form the user can access.
You don't need a distributed attack. Only a small curl script and ip change possibility.
If you have a virtual or dedicated server, you can use this Nginx plugin: http://wiki.nginx.org/HttpLimitReqModule
But this is not available on shared hosts and is not a clean solution for such problems.
Comment #11
xjmSee: http://drupal.org/node/45111 for the definition of issue priorities.
Let's add an issue summary here that explains the issue and the different routes to reproduce it. Clear steps that users can test will help.
Comment #12
kenorb commentedFor references:
4.x-5.x module: http://drupal.org/project/formsingle
6.x-7.x module: http://drupal.org/project/hide_submit
Comment #13
j0rd commentedSeems silly to reply to a comment from 2007, but I just ran into this problem today. I know both Ubercart or Drupal Commerce handle this on the client side via JS, but that seems like a poor solution, since I would assume "submitting same form twice, in rapid succession, creating duplicate content" is a feature few want.
I need a fix for D7 myself.
Is there not something that could get done with $form['#build_id'] to prevent duplicates. Seems to me, that if you submit a form with the same build_id or form_token, that it should only get submitted once.
If anyone has a good solution for this, please let me know.
Comment #13.0
j0rd commentedlink to older issue should be a [#...], not explicit url.
Comment #14
jcovington commented#11 says this needs a backport to 7.x but I am not sure where to find the fix for 8.x, if it has been fixed there.
Comment #15
elijah lynnjcovington, I don't think it has been fixed in 8.x yet but the way the Drupal core issue queue works is that everything must be fixed in 8.x first and once it is then it needs to be backported to 7.x.
Hope that helps.
Comment #16
elijah lynnBtw, a current contrib workaround is to use the hide_submit module.
Comment #17
mitokens commentedComment #26
pameeela commentedAny followers of this issue able to update the IS to summarise the current state? Seems likely that things have changed a lot in the last five years...
Comment #27
pameeela commentedComment #28
pameeela commentedRevisiting this. The hide_submit module mentioned here does not have a D8/9 version, so I thought it must now be resolved. I have found that this was fixed for most forms in #1705618: Double click prevention on form submission. It is still possible to replicate this for comments, but as that is a much more narrow issue I think we are better served creating a new ticket for that. So I am marking this 'Closed (outdated)' since much of this is already resolved, even though not completely. I have created #3220709: No double click prevention on content entity form.
I guess possibly this could be moved to the D7 queue, so if anyone thinks that should happen instead please reopen and update the version.