Someone created two identical accounts on my website at the exact same time. How is it possible?
https://stackoverflow.com/questions/1367239
-
21-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I can't believe this - someone actually created two accounts on my social networking website using the same email even though there are both server sided as well as client sided validation checks that prevent such a thing from happening. But get this the time noted in the creation of both the accounts are exactly the same time.
For some reason I'm doubting that this was possible using the forms or any interface - however I'm more than curious to find how did this happen? Anyone have any ideas here?
Solution
FOr some reason I'm doubting that this was possible using the forms or any interface - however I'm more than curious to find how did this happen? Anyone have any ideas here!
Most probably, a browser double-post which you didn't track right.
If you don't want two people to share one email address in your social network, make a UNIQUE constraint on email field.
To avoid double-posts, generate a random string in a hidden control on your page, keep it in a column and make this column UNIQUE.
OTHER TIPS
probably because you don't handle this unique constraint in the database, if you would had an unique constraint on the email column in the DB then you wouldn't had that kind of problems
You should have set a unique constraint on the email or username column of the users table.
Don't rely on client-side validations! Those are just for the visitor as information. Always make sure validations are done server-side.
My guess is that someone used a script to subscribe to your site as a test to add dozens of accounts to fill your site with forum spam or whatever. By just adding two accounts, they test how easy it is. Apparently, it's quite easy. Next time, they might create a thousand accounts and use it to automatically flood your system with spam. Good luck trying to get rid of this all.
The important hints are already provided: enforce unique email addresses and unique usernames. However, when someone just subscribed to your site, make sure they can't create more accounts from that IP address for at least half an hour. Then you're annoying these automated scripts a bit.
Certainly the most likely reason is that the user submitted the form twice.
The best way to avoid this is to use the redirect after post method.
If you're somehow receiving double form posts and your constraints/transaction handling is not properly done, it's quite easy to do this.
Double form submissions (especially when triggered by javascript), can come fairly close in time to the server. Check your access log files for double posts.
I think between the other posts, you have your answer. Probably there is no unique contstraint on the field in the database AND someone double-clicked on the submit button giving you a double post.
It's good practice to have your DB constraints set properly and from experience, it's usually best tpo disable the submit button on client side click (javascript) as soon as it's clicked to prevent those users who still try to double-click everything on the web.
