Another example why javascript:history.go(-1) is a bad idea

Just came across this example. I don’t mean to pick on this particular site, I just stumbled on it.

The following happens on these pictures. I am looking at the classic form which says “Lost password? Enter your e-mail and we send you the activation link”. I enter my e-mail and click submit. It tells me that this e-mail was not found. I hit their “back” link (NOT my browser’s “back” button) and come to the same form… except that the “submit” button is disabled. I can enter another e-mail, but I can’t submit.

What’s going on?

We see the following code in the page that shows me the form:

<form id="request_pass" method="post"
action="login.php?action=forget_2"
onsubmit="this.request_pass.disabled=true;
if(process_form(this)){return true;}else
{this.request_pass.disabled=false;return false;}">

So… when process_form validates the form to be OK, the button is disabled. Which is a good idea to disable multiple clicking. But, on the resulting page, you come back with javascript:history.go(-1), and this does not reset the previous page state. The page is shown exactly as the browser last saw it. With the submit button disabled.

How to fix? There are two ways:

1. Instead of javascript:history.go(-1), use a normal URL that triggers a page reload and script resetting.
2. Remove the validation and button disabling from the form. Less desirable, since does not prevent multiple clicking, which may in the worst case trigger several password reset emails and confuse the user.