Using Session to limit form submission by time

Question

I have spent over 2 hours scouring the net trying to figure this out. I am trying to stop multiple form submission any faster than 60 seconds. Here is what I am using.

session_start();
if (!isset($_SESSION['last_submit']))
    $_SESSION['last_submit'] = time();

if (time()-$_SESSION['last_submit'] < 60)
    die('Post limit exceeded. Please wait at least 60 seconds');
else
    $_SESION['last_submit'] = time();

I found this bit here on the site but haven't been able to figure anything else out as far as getting it to work. I have this bit of code on my page at the beginning that does the DB query with the previous pages POST results. Do I need to set $last_submit to a certain value? Any help is appreciated.

Answer 1

You have two problems. Firstly, on the first execution you are setting the session value to time(), so the first try will always produce the limit exceeded error. The second problem is you have a typo in $_SESION.

Try:

session_start();

if (isset($_SESSION['last_submit']) && time()-$_SESSION['last_submit'] < 60)
    die('Post limit exceeded. Please wait at least 60 seconds');
else
    $_SESSION['last_submit'] = time();

Also it should be noted that is this not foolproof because users can refuse cookies or delete the session cookie, in order to bypass your check.

Answer 2

The last statement:

$_SESION['last_submit'] = time();

should be:

$_SESSION['last_submit'] = time();

You forgot an S...

Also this piece of code will die meaning that the die statement will be executed.

Alternative:

if (time() - ( isset($_SESSION['last_submit'])?$_SESSION['last_submit']:0 )< 60) 
    die('Post limit exceeded. Please wait at least 60 seconds'); 

// update the session
$_SESSION['last_submit'] = time();