NYCPHP Meetup

NYPHP.org

[nycphp-talk] Disabling browser back button.

Michael B Allen ioplex at gmail.com
Sat Jun 21 19:39:25 EDT 2008 

On 6/21/08, PaulCheung <paulcheung at tiscali.co.uk> wrote:
> Hi
>
>  Can anybody suggest a way around this problem or point me in the right
> direction?
>
>  I have a genuinely legitimate reason to disable the browser back button, or
> at least the pages that have anything to do with the PHP application I am
> working on.
>
>  Here is the scenario
>  A user likes the on-line service provided and decides to purchase it using
> one of the standard on-line payment methods, typically PayPal.
>
>  Once payment has been made, confirmed and received, the user is directed to
> an customer account creation page. Here the user enters the usual standard
> account details such as Name, Address, Telephone Number, User-Id, Password
> and so on.
>
>  The application then generates an access code, which is automatically
> emailed from the application to the customer. As a precaution all PHP
> sessions variables are cleared, the "customer account creation page" is
> cleared and the user steered away from the signup part of the application to
> Google's main navigation page (this last bit being for testing purposes).
>
>  Here in lays the problem. After initial creation of the account code and
> when the back button is pressed a few times, the user eventually return to
> the "customer account creation page". Which is the step immediately
> following payment validation. At this point, if the customer wants to create
> another new account all she or he has to do is, fill it the form once more,
> press submit and another new account is created. If the user just keeps
> doing this, he or she just keeps on creating new accounts.
>
>  I have tried to disable the browser back button; but am unable to. I have
> researched JavaScript solutions and learnt, if the user turns off
> JavaScript, that is that.

The way this is usually dealt with is to use an HTTP redirect after
the action is performed.

And / or when you create a form you can add a hidden field containing
a random token. The server stores a copy of the random token in the
user's session. When the form is submitted, check to make sure the
token matches the one in the session. If it does destroy it and
perform the desired operation. Now if the user later backs into the
form and submits it the token will be old and you'll know not to
process the POST request action.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

More information about the talk mailing list