-
Bug
-
Resolution: Fixed
-
Minor
-
3.9.14, 3.9.15, 3.11.7, 4.0.1
-
MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE
-
MOODLE_311_STABLE, MOODLE_400_STABLE
-
MDL-75083-master -
The login form does not prevent double submission. And a double submitted login form leads to an invalid login token error.
This is because the first submission logs in the user and invalidates the 'anonymous session' (a new session cookie is set on successful login). The second submission reaches the server with the same login token and session cookie meanwhile invalid. The server response from the first request is ignored by the browser since the second submit action cancelled the first request client-side.
This behaviour is annoying for users because some are double clicking (you have to double click slow enough ) the login button intentionally (thinking they have to) without knowing the effect. And others are impatient or missing the browser's page loading indicator and clicking again. The error message "Invalid login, please try again" the user sees is the same as for a wrong username/password. Therefore the same happens again and again because the user is not taught to do better.
I found MDL-38555 that implemented some JavaScript code to prevent double submissions for Moodle forms. Sadly the login page isn't using the forms library.
A patch is attached that reuses the code from MDL-38555 and applies it to loginbtn within the core/loginform template.