Generate a random number when creating a form, store it in the session and
in a hidden on the form. Then when the post comes back, make sure the hidden
is there and that it matches the one in the session.

* Cal Evans
* Journeyman Programmer
* Techno-Mage

-----Original Message-----
From: Warrick Wilson [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 30, 2002 2:52 PM
Subject: [PHP] Is it possible to verify that a form submision is not
being "spoofed"?

I'm having a hard time explaining what I'm trying to do, which is why I'm
having a hard time finding anything online/in manuals...

My site serves a form for the user to fill in. User has been authenticated
with a login and we're using PHP 4 sessions. When using Internet Explorer,
the user can hit Ctrl-N and get a new window, but his session for that new
window is still valid. He could then load up a local page and submit it to
the target of my original form.

Is there some way of detecting that the submission came from a page that
hadn't been served up by my application, but was instead sent in from some
other "foreign" form?

Or maybe the question is - how can I kill off sessions if the user navigates
away from the page that I sent him originally?

Warrick Wilson

PHP General Mailing List (
To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to