I have been trying to figure out how to prevent multiple form submissions without the use of js due to the chrome compatibility issue. I read through a few online articles and one mentioned the pgr pattern.
I am currently using flash messaging for all of my notifications ( error, information, etc. messages saved to sessions, displayed, then unset )
After reading about the pgr pattern i decided to try just placing a header redirect right below my post check
if (!empty($_POST['create'])) {
header('Location:'.$fullUrl);
// Sanitize, Validate, Process
// If No Errors Complete Form
}
When i submit the form even though i am redirecting i still have access to my post variables and there are 0 issues, i don't have to worry about multiple form submissions, errors and success is displaying correctly. I want to know why i still have access to the post data when i redirect right after post.
I am using form tokens to prevent csrf attacks, would this affect that negatively in any way since the page is being reloaded and the post variables are being kept. Is there a particular method that i should be using? I do not have to worry about page being refreshed after submission because i redirect on completion of processing. I just need to prevent spamming of submit button from processing the form on every button click resulting in multiple db inserts etc.
You can validate the CSRF before redirecting and invalidate the token, save in session that the CSRF check has passed and proceeed with the redirect where you check the session for the CSRF check pass. This way on 2nd submit you will receive the same token wich has been invalidated and the CSRF will fail and prevent the redirection.
header();
redirects you but the script continues to execute till it ends or gets exit();