I'm working on a site that was handed off from another developer and I had a question about his method of validating a FORM's POST authenticity.
When the form is displayed, he sets up a random ID and assigns it to both a local variable and a SESSION variable. He then attaches the random ID to the end of the FORM action URL.
When the form is submitted, the code checks to make sure the submitted random ID is the same as the SESSION's random ID.
Here's the code he used:
if(isset($_SESSION['sins_code']) && isset($_GET['rand']) && intval($_GET['rand']) > 0 && intval($_GET['rand']) == $_SESSION['sins_code']) {
Is there any purpose to all this on each form page? Can I just replace this check with a HTTP_REFERER check to make sure the form is submitted correctly? This is for a financial institution so I don't want to remove any extra security if it's necessary.
Also, on the rest of the site the other developer has used random IDs for each page, I'm assuming so the site won't cache the pages. I should just be able to set the Pragma: no-cache setting and be alright to remove the random codes right?
Thanks in advance,
JR
