How to protect Laravel reset password from multiple fast clicks

1. Problem

During implementing user registration and user activation process in Laravel, I encountered a problem!

If the user clicks fast multiple times on the reset password button or the resend activation code button, he gets lots of emails at the same time.

This can happen due to two scenarios:

1. User is so stupid and wants to do something silly with our app or misuse!
2. There is a real user but the server is slow at that time and after the first click the user thinks “he may not have submitted the form” and click the button again and again!

Even I checked it in spark and tried to reset my password with multiple fast clicks. It seems having the same problem!

2. Solution

2.1. Front-end

One solution is to disable the button at the front-end via javascript, just after the first click. Maybe it seems to be enough but I want to find a server-side solution!

Before you continue with the rest of this tutorial, I would like to introduce two packages for Laravel that I have recently developed: Laravel Pay Pocket, a modern multi-wallet package, and Laravel Failed Jobs, a UI for the Laravel Failed Jobs Table. I hope they may be of help to you.

https://github.com/HPWebdeveloper/laravel-pay-pocket
https://github.com/HPWebdeveloper/laravel-failed-jobs

2.2. Server-side

When a reset password link is requested, a record in the password_resets table will be generated. If the user uses the reset link (sent to his email), the record will be deleted. If the user does not use the link but continues to request the password reset, the record will be deleted and created again.

So I targeted the ForgotPasswordController and inserted in it the sendResetLinkEmail() getting from the SendsPasswordResetEmails trait.

I modified sendResetLinkEmail(Request $request) as follows to consider the time period between each two consecutive requests.

In sendResetLinkEmail(Request $request) just after :

$this->validateEmail($request);

I put these logics:

and did not change anything else. Meanwhile, I set 60 seconds as the interval time for two accepted requests. You can change it as you prefer.

To improve the solution, it is better to bring more generic, middleware based solution to prevent a single form from being submitted multiple times.

I intend to share my experience relating to Laravel framework. Any suggestions for a better solution is most welcome.

Thank you for reading! If you enjoyed this article clap it !

Panjeh — Medium

Also I’d like to hear your opinion on this article. If you have any doubt, question or suggestion please leave a comment below.

Have a very wonderful day!

Previous Stories You will Love:

Laravel call named routes in console internally php artisan command

Laravel get Bearer token from a request

Telegram bot get Webhook Updates send message

Telegram Bot Packages libraries Examples in Laravel, PHP, Node.js, Python, Java, Ruby, Swift, C++

Laravel Auth::routes() Email verification Reset password Authentication Registration routes

Laravel eloquent model increment with or without updating timestamps

Laravel validation username no space allowed alpha_dash or regex custom rule

Laravel delete queued jobs using redis horizon artisan command

Laravel Cloudflare logging real visitor IP address Server Solution

Laravel detector mobile browser name version platform device robot crawler user language

Laravel define global constants Config php file

Laravel session flash message include html tag link href

Laravel 502 Bad Gateway when starting Laravel Valet — Simple solution

Laravel query builder method — Finding maximum minimum average and sum of a column