restricting users resubmiting requests

How can i stop users using back button, refresh etc. to make requests that i don't want them to make? For example if the the user submits a form which inserts a database record then presses refresh they submit another databse record the same.

i notice on other sites it will say "this page has expired" or something similar.

When searching i found info about a PRG pattern, is this the best method or is there other ways. I would like to the use the simplest method possible.

PRG is your best practice.

Bear Bibeault wrote:PRG is your best practice.

I read two articles about it but i'm not sure if it is possible in my application without redesigning the whole thing.

Is there any other way to do it?

Tony Williamson wrote:i notice on other sites it will say "this page has expired" or something similar.

Disable client side caching of the page by setting the cache-control, pragma and expires headers accordingly.

Cache control won't help with the problem or resubmit a POST sitting on the page.

You either need to refactor the app, or bend over backwards to try and determine if an action is being repeated.

No, that not. You already mentioned the PRG pattern for that.

Another alternative is a (preshared) key with an unique identifier in the session scope which is been passed as request parameter and is immediately handled on the very beginning of the request processing. Apache's MVC framework Struts uses this technique under the caller "token".

Using that technique, care must be taken that the token isn't just recreates as part of the refresh, but that may the path of least resistance in this case.

Thanks for the help guys. I think il try the token method.

is their a specific term for this method that well help me find more info about it. I'm not sure how to make it work.

1) Generate an unique key.
2) Store it in a collection in the session scope.
3) Add this key to the form as a hidden input value.
4) On processing of the request immediately check if the key is present in the collection in the session scope.
5a) If it is present, remove it from the collection and proceed with request.
5b) If it is absent (can be caused by either double submit or expiration of session), abort the request.

Yes you should use token concept from Struts.