Level 75
Well to prevent that malicious user, Make sure you are using authentication and authorization to even be on that page. But just a suggestion.
Apr 9, 2021
5
Level 1
Technique to avoid form resubmit
Hello everyone! I hope you are having the best possible time in this pandemic situation. I am dealing with the problem that it generates that users can make multiple clicks on links / buttons and that multiple requests are generated to the controller.
In my case, when a user clicks on a button, the controller makes a query to an external API and creates a record in the database with the corresponding information. So far I am simply avoiding this with javascript from the client side disabilng the elements once clicked . But if a malicious user disables javascript they can bypass that security barrier.
Today it occurred to me to solve it in the following way: What would happen if the vital elements to make calls to the controllers (links, forms, etc.) are generated through javascript when the user enters the site?
To give an example: If I need a form to create a user, I can create it through javascript. This way if a malicious user tries to create a user without javascript, they won't see the important forms and elements.
In this way, the important forms and elements will only be available if the user has javascript activated and, in this way, I make sure that the system I currently have to avoid form resubmit works.
What do you think of this way of trying to solve the problem?
Level 1
Yes. Im assuming that the malicious user has an account on my website.
Level 75
What you're wanting to do is Progressive enhancement, which would work but you could also preventdefault and submit with Ajax as well would be another option.
Level 1
Maybe I didn't express myself well. I am trying to avoid using the server to prevent users from making many clicks /multiple submits on a link / button. I am using the classic technique of disabling the button that prevents it from being clicked a second time.
But to add a higher layer of security and prevent users from disabling javascript and clicking as often as they want, I'm adding those clickeable elements to the DOM via javascript. That way, you can only interact with the site with javascript enabled. If you have javascript disabled, you cant see/click those buttons.
Level 75
But I agreed with you. But even your technique wouldn't stop a malicious user. But by using ajax for the "sending" of data only, you could then disable the button.
So I am not sure what you are asking if ajax won't work.
And the replies are only suggestions.
1 like
Please or to participate in this conversation.