After successfully submitting the form I am setting the submission time using PHP cookie.
If the user again submits the form then I am checking if the time is past 24 hours or not.
If it's not passed 24 hours then I am showing an error message. So for that in the Chrome browser, it's working for me with below code:
After successfully submitting the form
$cookieName = 'submission_time';
$cokkieValue = time();
setcookie($cookieName, $cokkieValue, time() + (+60*60*24*30 ), "/");
If user again submit the form
if(isset($_COOKIE['submission_time'])) {
$submissionTime = $_COOKIE['submission_time'];
$currentTime = time();
$timePassed = ($currentTime - $submissionTime ) / 60 * 60;
if($timePassed < ALLOWED_SUBMISSION_TIME ) {
echo "<div class='alert alert-warning'>You can record the sales after 24 hours! Please wait..</div>";
die();
}
}
now, I am again submitting the form with IE browser but it's don't showing me that warning message that set like:
You can record the sales after 24 hours! Please wait..
Is there any workaround for that?
Basically, I want to prevent multiple submission within 24 hours.
Depending solely on cookies to ensure users of your service to not be able to submit a form is not a good enough measure. What if the user just simply clears the cookies (it's also as simple as to use incognito/private mode on browsers). As I see it here, you have two options, based on the scenario.
If it is required to add credentials/log in to access and send the form, you can add a column for when the user last successfully submitted the form (e.g last_submitted). In your logic you then simply check the current server time with the last_submitted time.
If it is not required to use any kind of credentials, what you can do is hash the users ip address (as storing it unobfuscated may be illegal) and add a column for ip_hash and last_submitted (as previously stated). You then do the same logic, where you check if a user whose hashed ip corresponds with your stored hashed ip has surpassed 24 hours. This is also not 100%, as the user can simply change ips/use VPN to surpass it (although a bit more tedious than simply going in incognito mode).
The best scenario is to save this timestamp in database and when your users want to submit again, you will check the saved timestamp from your database. It's more secure and easy one. make sure you have at least a normal authentication method for users!