[racket] Question about the double submit bug 'in the wild'

From: Matthias Felleisen (matthias at ccs.neu.edu)
Date: Fri Aug 20 18:57:05 EDT 2010

On Aug 20, 2010, at 6:19 PM, Horace Dynamite wrote:

> I recently linked my bank account with a university for payment of
> tuition fees and such. Once I'd given them all my information I was
> presented with a confirmation page showing my details, it had the
> following warning beneath it,
> 
> WARNING: Do not reload this page. Doing so could submit your financial
> information again. Please click the "Go back to portal" button below
> to exit.
> 
> I remembered this discussion in the continue blog application over at
> the help desk, and it was solved using the redirect/get function. Why
> isn't this method being used here? Are there gotchas with HTTPS using
> this method? Would this be considered bad practise by professionals
> not protecting their system against this?


Yes, this should be considered malpractice. Sadly, what happens in 
reality is that (1) programmers and managers will ignore error reports; 
(2) they will blame users for not using the product properly; (3) they
will blame users for ignoring the instructions on not using the back button; 
(4) they will not understand that users may have cloned windows and other
stuff happens; and (5) eventually the programmer will be promoted and 
his replacement will say we need to port this program to JavaScript 17.2
and we need to hope that the bugs just go away. 

Programmers should be held to the standards of the medical profession, 
but they are in practice held to almost no standards. 

-- Matthias



Posted on the users mailing list.