How do I prevent multiple form submission in .NET MVC without using Javascript?

by

Updated answer for ASP.NET Core MVC (.NET Core & .NET 5.0)

Update note: Remember ASP.NET Core is still called “Core” in .NET 5.0.

I’m going to stick to the least-impact use case like before, where you’re only adorning those controller actions that you specifically want to prevent duplicate requests on. If you want to have this filter run on every request, or want to use async, there are other options. See this article for more details.

The new form tag helper now automatically includes the AntiForgeryToken so you no longer need to manually add that to your view.

Create a new ActionFilterAttribute like this example. You can do many additional things with this, for example including a time delay check to make sure that even if the user presents two different tokens, they aren’t submitting multiple times per minute.

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = false)]
public class PreventDuplicateRequestAttribute : ActionFilterAttribute {
    public override void OnActionExecuting(ActionExecutingContext context) {
        if (context.HttpContext.Request.HasFormContentType && context.HttpContext.Request.Form.ContainsKey("__RequestVerificationToken")) {
            var currentToken = context.HttpContext.Request.Form["__RequestVerificationToken"].ToString();
            var lastToken = context.HttpContext.Session.GetString("LastProcessedToken");

            if (lastToken == currentToken) {
                context.ModelState.AddModelError(string.Empty, "Looks like you accidentally submitted the same form twice.");
            }
            else {
                context.HttpContext.Session.SetString("LastProcessedToken", currentToken);
            }
        }
    }
}

By request, I also wrote an asynchronous version which can be found here.

Here’s a contrived usage example of the custom PreventDuplicateRequest attribute.

[HttpPost]
[ValidateAntiForgeryToken]
[PreventDuplicateRequest]
public IActionResult Create(InputModel input) {
    if (ModelState.IsValid) {
        // ... do something with input

        return RedirectToAction(nameof(SomeAction));
    }

    // ... repopulate bad input model data into a fresh viewmodel

    return View(viewModel);
}

A note on testing: simply hitting back in a browser does not use the same AntiForgeryToken. On faster computers where you can’t physically double click the button twice, you’ll need to use a tool like Fiddler to replay your request with the same token multiple times.

A note on setup: Core MVC does not have sessions enabled by default. You’ll need to add the Microsoft.AspNet.Session package to your project, and configure your Startup.cs properly. Please read this article for more details.

Short version of Session setup is:
In Startup.ConfigureServices() you need to add:

services.AddDistributedMemoryCache();
services.AddSession();

In Startup.Configure() you need to add (before app.UseMvc() !!):

app.UseSession();

Original answer for ASP.NET MVC (.NET Framework 4.x)

First, make sure you’re using the AntiForgeryToken on your form.

Then you can make a custom ActionFilter:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
public class PreventDuplicateRequestAttribute : ActionFilterAttribute {
    public override void OnActionExecuting(ActionExecutingContext filterContext) {
        if (HttpContext.Current.Request["__RequestVerificationToken"] == null)
            return;

        var currentToken = HttpContext.Current.Request["__RequestVerificationToken"].ToString();

        if (HttpContext.Current.Session["LastProcessedToken"] == null) {
            HttpContext.Current.Session["LastProcessedToken"] = currentToken;
            return;
        }

        lock (HttpContext.Current.Session["LastProcessedToken"]) {
            var lastToken = HttpContext.Current.Session["LastProcessedToken"].ToString();

            if (lastToken == currentToken) {
                filterContext.Controller.ViewData.ModelState.AddModelError("", "Looks like you accidentally tried to double post.");
                return;
            }

            HttpContext.Current.Session["LastProcessedToken"] = currentToken;
        }
    }
}

And on your controller action you just…

[HttpPost]
[ValidateAntiForgeryToken]
[PreventDuplicateRequest]
public ActionResult CreatePost(InputModel input) {
   ...
}

You’ll notice this doesn’t prevent the request altogether. Instead it returns an error in the modelstate, so when your action checks if ModelState.IsValid then it will see that it is not, and will return with your normal error handling.

More Related Contents:

  1. What is ViewModel in MVC?
  2. Two related questions on jqGrid column header filters and the advanced filtering dialog
  3. ASP.NET MVC How to pass JSON object from View to Controller as Parameter
  4. How do you request static .html files under the ~/Views folder in ASP.NET MVC?
  5. Adding another “Pet” to a Model Form
  6. How to lock down paths in ASP.NET MVC?
  7. Why should I use view models?
  8. Multiple DB Contexts in the Same DB and Application in EF 6 and Code First Migrations
  9. ASP.NET MVC Html.ValidationSummary(true) does not display model errors
  10. HTML.ActionLink vs Url.Action in ASP.NET Razor
  11. How to create custom validation attribute for MVC
  12. How can I pass parameters to a partial view in mvc 4
  13. ASP.NET MVC framework 4.5 CSS bundle does not work on the hosting
  14. Is there a good/proper way of solving the dependency injection loop problem in the ASP.NET MVC ContactsManager tutorial?
  15. pass enum to html.radiobuttonfor MVC3
  16. Does a view exist in ASP.NET MVC?
  17. MVC @Url.Content vs @Url.Action
  18. asp.net mvc complex routing for tree path
  19. ASP.NET MVC Programmatically Get a List of Controllers
  20. ASP.NET MVC5/IIS Express unable to debug – Code Not Running
  21. Best practices for debugging ASP.NET MVC Binding
  22. How to compile cshtml before runtime
  23. CORS in ASP .NET MVC5
  24. how to implement ASP.NET Identity to an empty MVC project
  25. ASP.net MVC – Display Template for a collection
  26. Incompatible Data Reader Exception From EF Mapped Objects
  27. How to reuse Areas, Controllers, Views, Models, Routes in multiple apps or websites
  28. EntityType ‘Category’ has no key defined. Define the key for this EntityType [duplicate]
  29. Prevent IIS from serving static files through ASP.NET pipeline
  30. MVC Forms LoginUrl is incorrect

Leave a Comment