Token Method on Forms, Double Submit Issue

Question

I\'ve spent weeks working on double-submit protection on my forms. Straightup, the session method of storing tokens doesn\'t work.

Sessions work fine for a refres

Answer 1

It seems you need an independant token store capable of avoiding race conditions. To get this to work several solutions are available, one of the easier to implement would be:

• Store the token in a database, with (tokencode,claimid) fields.
• On receiving, set a claimid to microtime(), possibly even a process-id, or hash, as long as it's very much assured to be unique in similar processes started within moment from each other.
• Try to claim the token: UPDATE tokens SET claimid = <id> WHERE tokencode=tokencode AND claimid IS NULL
• Count rows changed of previous statement (or do a select).
• If a row has changed and/or has your microtime()'d claimid: you are the winner, continue with the action
• If nothing has changed or the token has the wrong claimid the action will not be taken.