How to prevent trying to create the same user twice?

Question

The scenario is this:

• An iPhone app connects to a WebServer with Appache, PHP & MySQL.

• The iPhone app has a timeout of 5 seconds on connections(Async NSURLConnection). IF the response from server comes after the timeout the application doesn't know and tries to send the data again.

• On the server the php script runs twice. Once when the first set of data arrived. It creates a new user in the database but by the time it should echo the response the app timeouts. The second time the app tries to create the user it receives an error because the username should be unique. This happens because the first time the php script already inserted the user into the database.

• In this case the user is created on the server but the user doesn't know this because he receives an error with user already created.

A few things:
- The timeout can be increased but it doesn't matter. The server can take even more to create the user when under load.
- I can test if the user can login and instead of trying to create I just login him normally. The problem here is what happens if two users try to create a user with the same username and password because in that case the second user will automatically login. In this case I can indeed add a check to see if the user was created in the last minute and just login if so. (The thing is if the script takes more than 1 minute to execute the server should crash first, the create user script takes 0.001 seconds to execute and under load it takes 3-4).

Is there any way to prevent a php script from executing if another one is executing with the same data? Or is there another solution to this problem?

Answer 1

I am not sure about the php route but one solution from the iPhone side is to include in your client's http request a vendor specific device identifier from UIDevice's identifierForVendor: This way you can identify whether the create request is coming from the same device (same iPhone user) or someone else. If this unique id does not match up, you can give your "Sorry, this username is taken" message.

As a side note though, if the users create a user with the same username and password then it is usually valid to assume it is the same user trying to log in on multiple devices (iPhone and iPad for example). This may be a use case that you want to support. The chance of two users independently trying to create the same user/password account is highly unlikely. It is less likely a scenario than the common scenario of someone randomly guessing a username/password combo and gaining access through that route. If you are using a username/password system the underlying assumption is that this represents an acceptable level of risk. Some strategies for minimizing this risk is to use password complexity rules, enforcing usernames to be valid and confirmed email addresses, and in extreme cases to use two factor(or more) authentication.

Answer 2

There is a device ID present in all iphones and they are all unique, verify on your language how are you going to get that once a user tried to register using their iphone. so using that device ID they cannot make registration more than one.