Welcome
Articles are organised by date. Typically, there will be a new one as and when I have the time and find a subject to talk about.
Avoiding Erroneous Double Hits
Contents
What are Double Hits?
Firstly, what do I mean by double hits? Essentially, these are where you have a lot of pairs of page requests, i.e. where the same page has been requested twice by the same user in a matter of seconds. Normally, this wouldn't be a problem, but when you have something connected to the backend that needs accurate information on clicks, like tracking software, or a shopping cart (you don't want to be putting the same item in the cart twice now, do you?) this can be a major problem. The reason this happens is because modern browsers request the page in multiple streams, to speed up display, so the same page is only displayed once, but behind the scenes there could be two or more streams open to it downloading various bits of the page. Problem is, server code is always run, despite only seperate parts of the resulting HTML being requested.
A Real World Example
I'll explain a real world problem where this actually became a major issue. Recently, I was working on a site that sold information, and the whole thing was based on a credits scheme. Each time the user requested a some information, they were docked a credit accordingly. Unfortunately, during a lot of the testing phase, we noticed that more often than not, two credits were being used. Now, at the time, I was baffled. I used debug output in the page, which reported everything as fine, but the debug output entered into the database gave a quite different story. There were pairs of entries, mere seconds apart for the same user and request. A little Googling later (well, slightly more than a little) and I eventually found the cause of the problem, the browser itself! Actually, that's oversimplifying it really, the problem ultimately lies with web design in general. Not following me? Here goes:
The Difference Between Get and Post Data
When passing parameters to the server from the browser, there are two methods one can use: Get or Post. Get is passed directly in with the URL. This method is intended only for retrieving data, never making changes to anything residing on the server. Post data is sent with the headers, so they are a bit more secure, and they are not displayed in the browser; and Post data is intended for making changes to server-side data, e.g. adding an entry into the database. The major drawback with Post data however, is that you can't just have regular HTML links, you are forced to use forms or some sort of JavaScript trickery.
Because of this, giving the end user a nice list of bits of information they wish to purchase, you are limited to using a form to have use Post data. Of course, you can use JavaScript to change hidden form fields, but this isn't very accessible. Proper links are always good, but you run into the double hits situation. It seems like it's an impossible situation, but there is a workaround.
The Solution
The answer is to sanitise your database input, by checking for similar entries that have been made within the last few seconds that are too similar.
So, say you have a site that also sells information, before deducting any credits from the user, check to see if a credit has just been used for the same user, requesting the same bit of information within a very short space of time (10 seconds is usually close enough.) Obviously this only works if you record all such actions, so some sort of audit table in your database can come in handy here, and record everything you think might be useful in preventing the problem, such as their user ID, the date and time, the bit of information they requested, maybe their IP address (as it's not inconcievable that you might use one login for a group of users who might belong to a single company.)
Keep Up To Date