You may notice that the submission URL for comments has the form /q/:quote/comment/:nonce (and for quotes it's /submit/:nonce). If two submissions with the same nonce are received, then the second one will be silently ignored and the user will be redirected to the first one.
The main reason for this is to help users with flaky internet connections. Basically, if their connection craps out in the middle of submitting a comment, then their browser can safely retry the submission with no ill effect. Since our form is set to have the HTTP verb PUT, not the verb POST, this is allowed by the HTTP spec. Also, since we're going to enhance the form with JavaScript, we can just write the code to retry a few times in the face of failure.
We should have JavaScript re-generate the nonce after the comment is successfully submitted, so that if the user hits the back button after submitting a comment they can submit a second one. Any rate-limiting should be done separately from the whole nonce thing.
You may notice that the submission URL for comments has the form
/q/:quote/comment/:nonce(and for quotes it's/submit/:nonce). If two submissions with the same nonce are received, then the second one will be silently ignored and the user will be redirected to the first one.The main reason for this is to help users with flaky internet connections. Basically, if their connection craps out in the middle of submitting a comment, then their browser can safely retry the submission with no ill effect. Since our form is set to have the HTTP verb
PUT, not the verbPOST, this is allowed by the HTTP spec. Also, since we're going to enhance the form with JavaScript, we can just write the code to retry a few times in the face of failure.We should have JavaScript re-generate the nonce after the comment is successfully submitted, so that if the user hits the back button after submitting a comment they can submit a second one. Any rate-limiting should be done separately from the whole nonce thing.
We can also do this:
If the nonces don't match, we are being hit by a broken spambot and can safely ignore anything it says.