Page MenuHomePhabricator
Create Task
Maniphest T95544

Reply button posts repeated comment when clicked twice.
Open, MediumPublic
Actions

Description

The Reply button has posted the same comment twice when I clicked it twice (over a slow connection).
It happened today here and here while posting to this thread.

The action should be idempotent - the server should check that pressing the Reply button many times for the same post are only processed once. A simple way to do this is to attach a hash value to each new post when the user starts it, and sending it with the Submit action.

Event Timeline

dialmove created this task.Apr 9 2015, 1:57 PM
dialmove raised the priority of this task from to Needs Triage.
dialmove updated the task description. (Show Details)
dialmove added a project: StructuredDiscussions.
dialmove subscribed.
Restricted Application added a project: Collaboration-Team-Triage. · View Herald TranscriptApr 9 2015, 1:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
EBernhardson added subscribers: csteipp, EBernhardson.Apr 9 2015, 5:51 PM

We should check with @csteipp about single usage CSRF tokens which would protect against this.

We should also disable the button on AJAX submit (we might already do that?)

EBernhardson triaged this task as Medium priority.Apr 9 2015, 5:52 PM
csteipp added a comment.Apr 9 2015, 6:18 PM
In T95544#1195273, @EBernhardson wrote:

We should check with @csteipp about single usage CSRF tokens which would protect against this.

We should also disable the button on AJAX submit (we might already do that?)

Single use CSRF tokens are hard-- you have to cache used tokens for as long as they are good, and then check to make sure they haven't been previously used when checking them. Or you reset the user's secret, which means users can't really use 2 tabs, ever. Although if it's just for flow, you could make the token salt be "flow-<number-of-flow-posts-by-this-user>".. so then only flow tokens would be effectively single use.

CSRF tokens can be time limited, but I don't think that will help you here.

EBernhardson unsubscribed.Jul 18 2018, 6:45 PM
Restricted Application added a project: Growth-Team. · View Herald TranscriptJul 18 2018, 6:45 PM
SBisson moved this task from Inbox to Triaged but Future on the Growth-Team board.Jul 20 2018, 4:55 PM
MBinder_WMF added a project: Growth-Team-Filtering.Apr 15 2021, 7:03 PM
Aklapper removed a project: Collaboration-Team-Triage.May 25 2021, 9:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits