php noob wrote:I know the trick to generate a unique session token on a form page, echo that in a hidden field in a form, and then on the post page compare the two to see if they are the same to prevent form spoofing.
I am not in favour of this as I feel that it is more important to have proper input validation and complete mediation rather than to try and prevent people from writing their own forms and submitting them. After all, it is still possible to load and parse your form for the hidden field, and then incorporate that in the "custom" form and submit that one instead.
In my opinion, the real problem with form spoofing is the type where there is impersonation (i.e., phishing attacks), not where there is an alternative to the form that you provide.
php noob wrote:But what if the page is post-ing to itself instead of another?
Why would that make it any different?
