I'm having a hard time explaining what I'm trying to do, which is why I'm
having a hard time finding anything online/in manuals...
My site serves a form for the user to fill in. User has been authenticated
with a login and we're using PHP 4 sessions. When using Internet Explorer,
the user can
Generate a random number when creating a form, store it in the session and
in a hidden on the form. Then when the post comes back, make sure the hidden
is there and that it matches the one in the session.
Cal
*
* Cal Evans
* Journeyman Programmer
* Techno-Mage
* http://www.calevans.com
*
On Wednesday 01 May 2002 04:05, Cal Evans wrote:
Generate a random number when creating a form, store it in the session and
in a hidden on the form. Then when the post comes back, make sure the
hidden is there and that it matches the one in the session.
But the flaw in that is if the nasty
This random number, because it is being sent to the user is just as easy to
forge as the rest of the fields on the form. The only thing you can do is check
the refferer on the submitted page, but alas even this can be forged with enough
technohow. Good luck!
James
-Original Message-
4 matches
Mail list logo
