form submission security issues with sessions

bike5

I have a form on a website thats getting used 5000+ times a day but every day I get 5-10 people email in saying they are getting blocked by my security measures and I don't understand how (and it never lets them through each and every day).

Process:

#1. User enter page with form, I set a session variable with a random string, I add this random string to a hidden form value.
#2. User submits form and I check the hidden post value against the users session value, if they match I process if they do not match I throw an error. The session value is also cleared when they hit this page.

The only thing I can figure would even possibly cause this for normal users would be:

#1. Double submitting the form - it may unset the session after loading the next page but resubmit and they see the second resubmit which does not have session var anymore because it was removed on the first submit.
#2. On the second page they use the browser back button and repost the form, thus same thing happens in #1, session is gone and does not matched the POST.
#3. They tried to submit a form from a different website.

However, when I tell users this they say they are not double submitting or using the back button or using a different website. I cannot think of what else would cause this to happen. Can anyone else think of any reason this would be blocking a few users each day when it works for 99.9%~ of everyone else?

Thank you for your time.

NogDog

One possible issue is that the session ID cookie does not get passed on the form submission if the form was accessed via the "www." sub-domain but the form action does not include that sub-domain in the URL. If that might be the case, the simplest solution is to set the session.cookie_domain value in your PHP config to be ".yourdomain.com" (note the leading ".").

bike5

Thanks for the suggestion but I don't think it is that because I forgot to mention but the user has to be logged into the site to use the form. I use the same session to detect if the user is logged in, these users get the error but are still logged into the system so that tells me the cookie is still properly linking to the session.

Thank you for your time.

NogDog

It could still be an issue if the user logged into the site via "www.yoursite.com" and accessed the form page via "www.yoursite.com/form_page" but that form's action is "http://yoursite.com/action.php". At least take a look at the <form> action and see if it leaves out the "www.". (I'm not by any means claiming this has to be the problem, just that I've seen it happen more than a couple times on different sites.)

bike5

I just checked, that site forces all request to not use "www" even if they try and put in a www it redirects them to the non-www site. And I checked from external sites linking to our all the way to the form they are all consistent without a www. Thanks for the suggestion tho, I could see how that could happen on some sites.