Generate a random number when creating a form, store it in the session and in a hidden on the form. Then when the post comes back, make sure the hidden is there and that it matches the one in the session.
Cal * * Cal Evans * Journeyman Programmer * Techno-Mage * http://www.calevans.com * -----Original Message----- From: Warrick Wilson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 30, 2002 2:52 PM To: [EMAIL PROTECTED] Subject: [PHP] Is it possible to verify that a form submision is not being "spoofed"? I'm having a hard time explaining what I'm trying to do, which is why I'm having a hard time finding anything online/in manuals... My site serves a form for the user to fill in. User has been authenticated with a login and we're using PHP 4 sessions. When using Internet Explorer, the user can hit Ctrl-N and get a new window, but his session for that new window is still valid. He could then load up a local page and submit it to the target of my original form. Is there some way of detecting that the submission came from a page that hadn't been served up by my application, but was instead sent in from some other "foreign" form? Or maybe the question is - how can I kill off sessions if the user navigates away from the page that I sent him originally? Warrick Wilson mailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
