[ic] Your favorite method for preventing duplicate orders

Davor Ocelic docelic at spinlocksolutions.com
Wed Nov 14 16:02:35 EST 2007 

On Wed, Nov 14, 2007 at 12:28:54PM -0800, Grant wrote:
> What is your favorite method for preventing users from placing
> duplicate orders?  I suppose this could happen if the user refreshes
> the order receipt page,

One of the things I absolutely dislike is the fact that the form processor
displays mv_nextpage to the client while the URL is left at process.html.
Even worse, like you say, the browser knows it is a result of form 
submission and if you refresh the page, you perform the action again.

One way, though probably not the most elegant, to solve this is to
[bounce href='[cgi mv_nextpage]'] at the end of every action code.
The bounced page would not be a result of form submission and you could
refresh it any way you want. The URL would be correct too. And if you
use cgi/value spaces the right way, [bounce] shouldn't create any problems.

Another solution is, I remember a while ago (2005-onwards) Frederic
Steinfels posted a patch (for Dispatch.pm IIRC?) that automatically
solves this directly on IC level. I don't remember if he used
$Tag->bounce or something else.

> clicks back from the order receipt page and
> submits the order again, or clicks the submit order button twice while
> the order receipt page is loading.  Anybody using a non-Javascript
> solution for this?

I talked to Racke about this some time ago. Basically I had an idea to
create a "form cache" on the server side. In short, it would cache
form submissions and let you control (through new variable mv_repeat
or mv_replay?) how often is a person able to submit the form. In
general, there should be some control allowing you to specify:

 - to which form names (or all forms) the specific restriction applies
 - to which field names (or all fields) it applies
 - when it applies (when the specified fields are the same, or different
   from previous submission, or in any case)
 - actual restriction: 1 = once per session, 2/10 = twice every 10
   minutes

If I could get some more comments on this I might go with
implementing it. It would solve the "form-replay" problem on the
right level.

Btw, kind of related info, Authorize.net seems to have this sort of
thing too. They do not process your payment again if it contains all
the same data and is submitted (by default) within 2 minutes from 
the previous payment.

-doc

More information about the interchange-users mailing list