Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-75083

Login form double submission leads to invalid login

    XMLWordPrintable

Details

    • MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE
    • MOODLE_311_STABLE, MOODLE_400_STABLE
    • MDL-75083-master
    • Hide
      1. Go to the login page
      2. Enter valid credentials (to reproduce the invalid login token error it doesn't matter if valid or not)
      3. Keep clicking the login button fast, repeatedly.
      4. Verify the "Invalid login, please try again" error message doesn't appear and you are logged in to Moodle
      5. Log out
      6. Repeat same process for 'Login as guest' button and Verify the "Invalid login, please try again" error message doesn't appear and you are logged in to Moodle as guest

      If you use same workflow on latest weekly it should give you 'Invalid login, please try again' error message.

      Show
      Go to the login page Enter valid credentials (to reproduce the invalid login token error it doesn't matter if valid or not) Keep clicking the login button fast, repeatedly. Verify the "Invalid login, please try again" error message doesn't appear and you are logged in to Moodle Log out Repeat same process for 'Login as guest' button and Verify the "Invalid login, please try again" error message doesn't appear and you are logged in to Moodle as guest If you use same workflow on latest weekly it should give you 'Invalid login, please try again' error message.

    Description

      The login form does not prevent double submission. And a double submitted login form leads to an invalid login token error.

      This is because the first submission logs in the user and invalidates the 'anonymous session' (a new session cookie is set on successful login). The second submission reaches the server with the same login token and session cookie meanwhile invalid. The server response from the first request is ignored by the browser since the second submit action cancelled the first request client-side.

      This behaviour is annoying for users because some are double clicking (you have to double click slow enough ) the login button intentionally (thinking they have to) without knowing the effect. And others are impatient or missing the browser's page loading indicator and clicking again. The error message "Invalid login, please try again" the user sees is the same as for a wrong username/password. Therefore the same happens again and again because the user is not taught to do better.

      I found MDL-38555 that implemented some JavaScript code to prevent double submissions for Moodle forms. Sadly the login page isn't using the forms library.

      A patch is attached that reuses the code from MDL-38555 and applies it to loginbtn within the core/loginform template.

      Attachments

        1. 2023-01-12 01-31-02.mp4
          6.24 MB
          The Physics Teacher Mohammad Farouk (PhUN)
        2. loginform-prevent-double-submission.patch
          0.4 kB
          Johannes Burk
        3. MDL-75083_master.mp4
          699 kB
          John Edward Pedregosa
        4. MDL-75083_v311.mp4
          572 kB
          John Edward Pedregosa
        5. MDL-75083_v400.mp4
          628 kB
          John Edward Pedregosa

        Issue Links

          Activity

            People

              jojoob Johannes Burk
              jojoob Johannes Burk
              Mathew May Mathew May
              Ilya Tregubov Ilya Tregubov
              John Edward Pedregosa John Edward Pedregosa
              Votes:
              1 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 3 hours, 25 minutes
                  3h 25m

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.