Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-75083

Login form double submission leads to invalid login

XMLWordPrintable

    • MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE
    • MOODLE_311_STABLE, MOODLE_400_STABLE
    • MDL-75083-master
    • Hide
      1. Go to the login page
      2. Enter valid credentials (to reproduce the invalid login token error it doesn't matter if valid or not)
      3. Keep clicking the login button fast, repeatedly.
      4. Verify the "Invalid login, please try again" error message doesn't appear and you are logged in to Moodle
      5. Log out
      6. Repeat same process for 'Login as guest' button and Verify the "Invalid login, please try again" error message doesn't appear and you are logged in to Moodle as guest

      If you use same workflow on latest weekly it should give you 'Invalid login, please try again' error message.

      Show
      Go to the login page Enter valid credentials (to reproduce the invalid login token error it doesn't matter if valid or not) Keep clicking the login button fast, repeatedly. Verify the "Invalid login, please try again" error message doesn't appear and you are logged in to Moodle Log out Repeat same process for 'Login as guest' button and Verify the "Invalid login, please try again" error message doesn't appear and you are logged in to Moodle as guest If you use same workflow on latest weekly it should give you 'Invalid login, please try again' error message.

      The login form does not prevent double submission. And a double submitted login form leads to an invalid login token error.

      This is because the first submission logs in the user and invalidates the 'anonymous session' (a new session cookie is set on successful login). The second submission reaches the server with the same login token and session cookie meanwhile invalid. The server response from the first request is ignored by the browser since the second submit action cancelled the first request client-side.

      This behaviour is annoying for users because some are double clicking (you have to double click slow enough ) the login button intentionally (thinking they have to) without knowing the effect. And others are impatient or missing the browser's page loading indicator and clicking again. The error message "Invalid login, please try again" the user sees is the same as for a wrong username/password. Therefore the same happens again and again because the user is not taught to do better.

      I found MDL-38555 that implemented some JavaScript code to prevent double submissions for Moodle forms. Sadly the login page isn't using the forms library.

      A patch is attached that reuses the code from MDL-38555 and applies it to loginbtn within the core/loginform template.

        1. 2023-01-12 01-31-02.mp4
          6.24 MB
          The Physics Teacher Mohammad Farouk (PhUN)
        2. loginform-prevent-double-submission.patch
          0.4 kB
          Johannes Burk
        3. MDL-75083_master.mp4
          699 kB
          John Edward Pedregosa
        4. MDL-75083_v311.mp4
          572 kB
          John Edward Pedregosa
        5. MDL-75083_v400.mp4
          628 kB
          John Edward Pedregosa

            jojoob Johannes Burk
            jojoob Johannes Burk
            Mathew May Mathew May
            Ilya Tregubov Ilya Tregubov
            John Edward Pedregosa John Edward Pedregosa
            Votes:
            1 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 hours, 25 minutes
                3h 25m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.