Home/ Questions/Q 944083
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T22:32:08+00:00

I’ve spent weeks working on double-submit protection on my forms. Straightup, the session method

  • 0

I’ve spent weeks working on double-submit protection on my forms. Straightup, the session method of storing tokens doesn’t work.

Sessions work fine for a refresh of the page or someone going back through their history… but the classic double submit by clicking the button numerous times cannot be prevented using sessions.

I’m thinking the script cannot check/write/delete sessions fast enough to catch the error when multiple clicks are being processed within milliseconds of each other.

Is there another server side method to preventing this problem?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It seems you need an independant token store capable of avoiding race conditions. To get this to work several solutions are available, one of the easier to implement would be:

    • Store the token in a database, with (tokencode,claimid) fields.
    • On receiving, set a claimid to microtime(), possibly even a process-id, or hash, as long as it’s very much assured to be unique in similar processes started within moment from each other.
    • Try to claim the token: UPDATE tokens SET claimid = <id> WHERE tokencode=tokencode AND claimid IS NULL
    • Count rows changed of previous statement (or do a select).
    • If a row has changed and/or has your microtime()’d claimid: you are the winner, continue with the action
    • If nothing has changed or the token has the wrong claimid the action will not be taken.
    • 0