Track the session and the form itself.

Session tracking is obvious I guess.
To track the form: add a hidden field with a random value in it.
(the same you do for anti-CSRF)

When they hit back, the form will send back the same hidden randomvalue that was used in the earlier "reservation": you can safely ignore it as it's twice the same browser (nobody else will have the same random value).

Track the session and the form itself.

Thanks,
Not sure I understood this,
I donīt use sessions.
When the persons leave my site and enter paypals isnīt the session lost?

When the persons leave my site and enter paypals isnīt the session lost?

Nope.

A session is essentially a cookie in the browser that's matched on the server side with information. As long as the client keeps the cookie and the server keeps its information, the session remain valid even if there are visits to other websites in between (HTTP being stateless...: there's not even a way to know they did that)

I'd suggest to take the time to understand sessions in full. They can be of great benefit to you when you do transactions that span more than one page hit.

Ref: [php.net...]

The philosophy I thried to explain above is
- to use the session to keep track of things like users being logged in or not, from the time the enter till they log out. (if they log in and out, from the first hit otherwise.
- to use a hidden field with a server side generated random value in it in sensitive forms.

If you then get on form submission that
- it's the same session (i.e. the same browser - cookie based)
AND
- it's the same form (due to the same random value being returned)
THEN it's relatively safe to assume the user went "back"

Whenever you accept a submission, ready for payment, you also keep track of the random value in the submission - to check for resubmissions ...

You also have to take care that they might go even further back and get a new form as well - but then it quickly become a matter of adding more state in the sessions.

You also have to take care that they might go even further back and get a new form as well - but then it quickly become a matter of adding more state in the sessions.

They dont log in so it would have to be a hidden value,
dont think that if they get another form would be a problem as the message if backbutton hit would only apply if the property is already booked, and the message would only appear on the bookingverification page.

Not fancy of using sessions, suppose there arent any other way.
I have sessions in the intranet, so I now that point, but not how to store and do the random value.
Thanks

What I am thinking,
if they hit the backbutton,
instead of displaying a message saying its been blocked for x minutes, please come back later.

I could store the id of the booking and if backbutton is hit then I could delete the booking, so they can go back and if they want to change any information in the bookingform.
As the id is autoincrease I will not have any problems if they go to another form.
Then is the question, when to expire session, or maybe better to kill it.

Ok,

Every time you generate the form (I suppose you do that in php),
generate inside the form a html line that says

<input type="hidden" value="$random" />

you need to generate the random string too ...
to generate it you could use something like:

$chars = 'ABCDEFGHIJKLMOPQRSTUVXWYZ0123456789';
$len = strlen($chars)-1;
$random='';
for($x=1;$x<=10;$x++){
  $roll = rand(0,$len);
  $random .= substr($chars,$roll,1);
}

When you process the from

- where you check if it's "free",
- if it fails, check if the random value you stored is the same as the one you got this time.
- if it is, it's a resubmittal of the form
- if it's "free":
- store the random value in your database

That's it based on your explanations.

But I think that creating a session, and hence recognizing them after paypal hands you back the visitor would make a lot of sense too.

Every time you generate the form (I suppose you do that in php),
generate inside the form a html line that says
<input type="hidden" value="$random" />

Thanks a lot,
No I dont generate the form, its a page with a form that they get to after checking availability etc with database and php.

Yes you are correct, its good to recognize them after payment also,
what I do is to us ipn and I update database as paid, and I run a chronjob that checks every 15 minutes if some booking has statement unpaid for more than 30 minutes.
What happens when they cancel the payment they goes to my cancelpage without being recognized, and the cron job deletes the booking.
As I said before, if I store the id of the booking I can delete the booking immediately if they come to cancelpage or if they clicks on hitback.
So I would store in the session the id of the booking, and the random value also, but one would be enough I think.

Hmm
on verification page (page between form and paypal):

if submit form (or as you said, if free {create session then insert booking in database and redirect to paypal for payment}
else {delete booking and kill session.}
then if they click back to form the form is there to modify and book again if they wish.

However if the click backs are very quick, I suppose there is time to delete the booking and kill session.

hmm,
could maybe be a problem,
I dont have any shopping cart as is imposible to do 2 bookings at the same time.
So if somebody wants to book 2 or more properties then they will have several sessions.
I could kill the session when they como to the checkout page or cancelpage, but many just close payapals window without going to my checkpage.
Can one have more than one session,
or maybe there is a way to kill previous session if any?