I'm trying to process a credit card transaction in .net and it works perfectly in Safari, Opera, and IE. When I try the same transaction in Firefox it sends two requests and I end up with a double charged card. From a quick search on Google it seems that this is an issue with Firebug but I am unable to find a way to stop this double post.
Does anyone have any idea on how to prevent Firefox (and Firebug) from doing this?
Use a nonce, a unique key which is only used once.
Send a unique number along with the form fields to the browser (this is often done with a hidden input field), and store a copy on the server with the transaction. Within the form, change the number on submit. Validate that the keys match when processing your requests.
There may also be a clear explanation of what's happening on the front end, and that issue could be eliminated client-side. It's best to solve the double-submit problem on the server, simply because there are so many ways in which a double submit could occur.
It might not be firebug.
I had a similar issue last year (though, in my case, it was a sequence of endless GET requests whenever viewing a standalone media file: GIF, JPG, WMV, etc).
I disabled all of my extensions and then tried re-enabling them one at a time, checking each extension to see if it was causing the problem. It turned out to be the Skype extension, in my case.
So don't just rely on second-hand knowledge that it's firebug. If you actually hone in on the problem, you might discover that it's something else entirely.
I use Firebug 1.2.1 and it has already a prevention for the double post bug, it shows you this warning when you want to see the AJAX response:
Firebug needs to POST to the server to get this information for url: http://example.url/
This second POST can interfere with some sites. If you want to send the POST again, open a new tab in Firefox, use URL 'about:config', set boolean value 'extensions.firebug.allowDoublePost' to true This value is reset every time you restart Firefox This problem will disappear when https://bugzilla.mozilla.org/show_bug.cgi?id=430155 is shipped.
I also had this happen to me once in Firefox--it can happen under some circumstances when you "View Source". The Firebug double-post sounds like a similar issue.
In the end, though, it's a good thing you caught this now--it'd be bad if double-charging a credit card could be as simple as hitting the back button after placing an order. (And as a developer for an e-commerce company, I can tell you that this happens all the time. If your checkout process has four steps/pages, just imagine the havoc that you can wreak by opening step 3 in a new browser window, hitting back to the previous step in the first window, then completing the order in the second browser window ... trust me, I've learned the hard way. You will be amazed at what people do to get around that Hawaii shipping surcharge calculation on step 3.)
The nonce is one solution; another is to simply to do a sanity check on the page that processes the credit card. Look in your database and say "wait a minute ... this order is already charged!" Then vomit with a graceful error message. Hope this helps!
Even if the nonce isnt your solution for this problem, you need to have a nonce anyway! It's very important for any kind of site where one person would want to trick another into doing something (like anywhere money is involved). Its called Cross-site request forgery, and is usually blocked by a nonce. See http://en.wikipedia.org/wiki/CSRF if you need more info.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With