The only fool proof method is is to have the application generate an image.
The image will contain a random number or series of letters.  The user must
type these into a form field to continue.  It's a password that only humans
can read.  It won't prevent an outside script from 'trying' to access the
system.. but since the script can not read what is on the image then it has
to try 50,000,000 keys until it finds the right one.

It works.


----- Original Message -----
From: "Warrick Wilson" <[EMAIL PROTECTED]>
Sent: Tuesday, April 30, 2002 1:52 PM
Subject: [PHP] Is it possible to verify that a form submision is not being

> I'm having a hard time explaining what I'm trying to do, which is why I'm
> having a hard time finding anything online/in manuals...
> My site serves a form for the user to fill in. User has been authenticated
> with a login and we're using PHP 4 sessions. When using Internet Explorer,
> the user can hit Ctrl-N and get a new window, but his session for that new
> window is still valid. He could then load up a local page and submit it to
> the target of my original form.
> Is there some way of detecting that the submission came from a page that
> hadn't been served up by my application, but was instead sent in from some
> other "foreign" form?
> Or maybe the question is - how can I kill off sessions if the user
> away from the page that I sent him originally?
> Warrick Wilson
> --
> PHP General Mailing List (
> To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to