I have developed a web application that processes credit card payments and when a user hits the back button in Fire Fox after they received the payment confirmation page, it post a duplicate payment.
I have put the following code in both the payment form and confirmation page and it still posts duplicate payments:
Response.Cache.SetExpires(DateTime.UtcNow.AddYears(-1));
Response.Cache.SetValidUntilExpires(false);
Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
Response.Cache.SetAllowResponseInBrowserHistory(false);
Response.Cache.SetCacheability(HttpCacheability.NoCach开发者_开发问答e);
Response.Cache.SetNoStore();
What I am doing wrong and how can I resolve it?
rerun has a good point in the comments. With regards to this problem, try this code (source):
Response.ClearHeaders();
Response.AppendHeader("Cache-Control", "no-cache"); //HTTP 1.1
Response.AppendHeader("Cache-Control", "private"); // HTTP 1.1
Response.AppendHeader("Cache-Control", "no-store"); // HTTP 1.1
Response.AppendHeader("Cache-Control", "must-revalidate"); // HTTP 1.1
Response.AppendHeader("Cache-Control", "max-stale=0"); // HTTP 1.1
Response.AppendHeader("Cache-Control", "post-check=0"); // HTTP 1.1
Response.AppendHeader("Cache-Control", "pre-check=0"); // HTTP 1.1
Response.AppendHeader("Pragma", "no-cache"); // HTTP 1.1
Response.AppendHeader("Keep-Alive", "timeout=3, max=993"); // HTTP 1.1
Response.AppendHeader("Expires", "Mon, 26 Jul 1997 05:00:00 GMT"); // HTTP 1.1
It should force all browsers to get the latest version and not the cached version of a page. (Might want to change the Expires
data has that post was from 2006
).
For the more general issue of not performing duplicate processing, have a read of the suggestions given at Not allow resubmit of page.
In summary, there are a few ways to try to stop the client's browser from repeating a request, but ultimately, if it's absolutely vital that submissions never get processed twice, you need to check on the server side whether a payment has already been processed. Add a unique identifier into the form that they submit, log it in the database, and if you see that same identifier a second time, don't process the request.
精彩评论