as far as I know you can't because it's something in the browser. I think the only thing you can really do is put something like, please do not go back, refresh the page or stop sending.

you often have a message along the lies of:

please do not use the stop or back button as it may incur your credit card being charged twice.

of course you can use proper english :-)

Leo

tnx for advice, but I want to be sure...

If I don't find better solution, I will log customers last name and amount that has been charged. That way I can ask for confirmation if same values are posted in some short period.

You could try running your checkout process in a chromeless popup window. Not sure how that would affect usability, though.

But then user can close pop-up and submit again (if you are talking about executing just charge script in pop-up).

If you mean to put whole payment process in pop-up, thats ok in case that user don't touch F5 or backspace key :)

tnx for answers, but I want to be totally sure that card has been charged once and I'm going to spend little time now to track values (as I mention above)

Combine client- and server- side techniques.

<input type="submit" name="submitButton" onClick="checkForm(this.form); return false;" value="submit order">

(javascript)
function checkForm(form) {
... do your checks ...

form.submitButton.disabled = true;
form.submit();
}

That stops the double-click habit.

Now when an order is placed, set a unique SESSION cookie. Prior to that in the programming, you will have already checked to see if the cookie exists. Use a session cookie so it doesn't kill any subsequent orders.

$orderPlaced = &checkForCookie;
if ($orderPlaced) { &thanks_but_you_have_submitted_already; }

else { &set_cookie_and_place_order; }

The cookie can be anything, really - a unique number, or something like "my_company_order=1" since you can only set/read a cookie on the same server. You're going to use it once and never need it again.

Of course for this to work it makes it Javascript and cookie-dependent, but if you can reduce half the double-orders, it's better than what you had before. In my experience it usually makes 100% of them go away - users who are careless when placing an order also don't know how to disable Javascript and cookies either, so it's all good. :-)

tnx for explaining a whole method rocknbil!

I will not have any problem with cookies & JScript until we lunch new site because I currently need this on Intranet only, for Call center department where lot of part-time employees work.

BTW I saw that most of the shops/sites are not using autocomplete="off" property for credit card number field? Does anyone know why?

The auto-complete does so based on the form field name. Ever notice how "userid" on one site auto-completes on a different site where "userid" is also the name of the form field? I would think that browsers should be smart enough to disallow obvious CC fields, such as CC, cc_num, ccnum, CreditCardNumber, etc., but doing so would also disallow it even if it's NOT a credit card number field.

I've notice the credit-card autocomplete issue.

IMHO, this is a browser problem. Autocomplete should be OFF by default on https: sites.

Kaled.

Ok, I agree that it would be great that browser detects sensitive data (cc_number) based on field name/https/16 chars long CC number or whatever, but I also think that it's developer responsibility to turn off autocomplete for cc_number field?!

Am I wrong?

Is it simpler for thousands of webmasters to all remember to switch off autocomplete or for a few dozen browser developers to do so?

Kaled.

As I already said, I agree with you, but browsers don't have that function yet and there is no plug-in for firefox available :(

IMHO that is pretty important security issue and developers should not forget to fix it.

This is only something you can do in IE [msdn.microsoft.com], correct?