I have gone through this question, but the answer posted their doesn't solve my problem.
The problem that occurs is that if the user hits the back button of the browser to return to the submitted form, the entered data persists and the user is able to "re-submit" the form. How can I prevent this behaviour (laravel's way)?
my route.php looks like
Route::group(array('after' => 'no-cache'), function()
{
Route::get('/', 'HomeController@index');
Route::ANY('/search','HomeController@search');
Route::get('user/login',array('as'=>'user.login','uses'=>'UserController@getLogin'));
Route::post('user/login',array('as'=>'user.login.post','uses'=>'UserController@postLogin'));
Route::get('user/logout',array('as'=>'user.logout','uses'=>'UserController@getLogout'));
Route::post('user/update/{id}',array('as'=>'user.update','uses'=>'UserController@userUpdate'));
Route::group(array('before' => 'auth'), function()
{
Route::get('user/profile',array('as'=>'user.profile','uses'=>'UserController@getUserRequest'));
Route::get('order/checkout','OrderController@checkout');
Route::get('order/status',array('as'=>'order.status','uses'=>'OrderController@orderStatus'));
Route::group(array('before' => 'csrf'), function()
{
Route::post('order/process','OrderController@process');
});
});
});
filter.php
Route::filter('csrf', function()
{
if (Session::token() != Input::get('_token'))
{
throw new Illuminate\Session\TokenMismatchException;
}
});
Route::filter('no-cache',function($route, $request, $response){
header("Cache-Control: no-cache,no-store, must-revalidate"); //HTTP 1.1
header("Pragma: no-cache"); //HTTP 1.0
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
});
controller code
public function process(){
//data is saved to database
Session::put('_token', md5(microtime()));
return Redirect::route('order.status');
}
public function orderStatus(){
return View::make('orderStatus')->with('message','done');
}
The Shift Exchange:
Are you sure your browser is not 'refreshing' the page when it presses 'back' - because of 'no-cache'? Try this: load the form, view the source, look @ the hidden token code. Then submit the form, press back, and @ look at the hidden token code - are they the same?
Trying Tobemyself Rahu:
no they aren't the same
Then that is your answer! Your browser is 'refreshing' the page when you are pressing 'back'!
So your code 'works' for most browsers - but whichever browser you are using is automatically refreshing the page on the 'back' - thus your token is being repopulated on the form. It is as is the user is 'revisiting' the form - so there is little you can do to stop this. It will work for most browsers...
Or you can turn off the 'no-cache' for the form - or set it to like 5mins or something - so the browser will not refresh the page.
Maybe have a 'form' cache filter - which is 5mins and a filter for all the other site - which is 0, something like that would be 'Laravel elegant' :)