Archive for the 'Security' Category

Preventing multiple form submission

Published January 14, 2009 JavaScript , Security Leave a Comment
Tags: ,

Technology: JavaScript

Level: Intermediate

Depth: Brief

For any form, clicking the “Submit” button twice results in the submission of  the form two times. This results in the duplicate backend logic and is so a flaw. 

This situation can be safeguarded with either client-side or server-side logic. Depending upon the server-side programming language, we can employ our back-end logics to detect the multiple submission of the same form and act similarly. This should not be of any problem. So in this post, I will throw in some code related to client-side JavaScript.

Code Remarks
<input type=”submit” value=”Submit” onClick=”this.onClick=new Function(‘return false;’);” > The button doesn’t submit the form again
<input type=”submit” value=”Submit” onClick=”this.disabled=true” /> The submit button is disabled once it’s been pressed the first time
<input type=”submit” value=”Submit” onClick=”this.value=’Processing…’” /> The user is notified that the form is under process. But doesn’t do anything to prevent the re-submission
<script type=”text/javascript” language=”JavaScript”><!–       

start_over_at = 3;

counter = 0;

function monitor() {

counter++;

if(counter >= start_over_at) { counter = 1; }

if(counter > 1) { return false; }

return true;

} // –></script>

<input type=”submit” value=”Submit” onClick=”return monitor() ” />

 This script allows the submission to go through if the user clicks more than a specified number of times

Some useful links:

  1. http://www.willmaster.com/library/web-development/multiple-form-submission-prevention.php
  2. http://www.smashingmagazine.com/2009/01/12/10-useful-web-application-interface-techniques/

Enforcing single login

Published October 31, 2008 .NET , Database , Security Leave a Comment
Tags: , , ,

Technology: ASP.NET/C#, Database (Any)

Level: Intermediate/Expert

Depth: Brief

In my previous article [ Single login using ASP.NET ], I discussed on how to enforce single login in an ASP.NET web application with the help of [Session_End event] and [Cache].

Here, I discuss yet another way of doing the same job. But this time, I am using the database for the purpose.

STEP 1: In a table that stores user_credential, create an extra column for [last_activity].

– Sample Table

CREATE TABLE USER_CREDENTIAL_EXAMPLE

(

USER_ID INTEGER,

FULL_NAME VARCHAR2(100 BYTE),

ADDRESS VARCHAR2(200 BYTE),

LOGIN_ID VARCHAR2(50 BYTE),

LOGIN_PASSWORD VARCHAR2(100 BYTE),

LAST_ACTIVITY_ON DATE

);

STEP 2: Before initiating any server side logic, update the [LAST_ACTIVITY_ON] field with the current date_time.

STEP 3: Authentication logic goes like following:

  1. Login_ID and Password are correct.

  2. if (Math.Abs(LAST_ACTIVITY_ON.TotalMinutes) <= (double)HttpContext.Current.Session.Timeout)

    {

    //login successfull

    }

STEP 4: While logging out, set the [LAST_ACTIVITY_ON] field with the past date, something like [1-1-1999].

The logic is straight and obvious, isn’t it.

Cheers !!!

Next Page »