On Tue, 2003-10-28 at 23:40, Adam Hardy wrote: > I don't store the token in the session. When the form submits, I check > the session for a hashmap, & if the token is not in the hashmap, I allow > the transaction and then put the token in the hashmap.
Interesting. You store the successful tokens so they can't be used again, and ignore the tokens that are never returned to the server. This would be more efficient for the case where the user views but never submits more forms than they view and do submit. I'll have to analyse my traffic some time and see what my users are doing. Currently I've implemented the opposite, I keep track of all the tokens and drop those that the user returns. I also drop all tokens older than 2 hours (which means the user has 2 hours to submit any particular form before the token goes away and they can't). (and obviously I store them in the session so they all go away when the session does) I like your solution better than mine. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
