Page MenuHomePhabricator

Reply button posts repeated comment when clicked twice.
Open, MediumPublic

Description

The Reply button has posted the same comment twice when I clicked it twice (over a slow connection).
It happened today here and here while posting to this thread.

The action should be idempotent - the server should check that pressing the Reply button many times for the same post are only processed once. A simple way to do this is to attach a hash value to each new post when the user starts it, and sending it with the Submit action.

Event Timeline

dialmove raised the priority of this task from to Needs Triage.
dialmove updated the task description. (Show Details)
dialmove added a subscriber: dialmove.
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

We should check with @csteipp about single usage CSRF tokens which would protect against this.

We should also disable the button on AJAX submit (we might already do that?)

We should check with @csteipp about single usage CSRF tokens which would protect against this.

We should also disable the button on AJAX submit (we might already do that?)

Single use CSRF tokens are hard-- you have to cache used tokens for as long as they are good, and then check to make sure they haven't been previously used when checking them. Or you reset the user's secret, which means users can't really use 2 tabs, ever. Although if it's just for flow, you could make the token salt be "flow-<number-of-flow-posts-by-this-user>".. so then only flow tokens would be effectively single use.

CSRF tokens can be time limited, but I don't think that will help you here.