Page is a not externally linkable
DewChugr - 7:16 pm on Jun 15, 2006 (gmt 0)
$token = md5(uniqid(rand(), TRUE)); Then when you get to your validation page include this. if ($_POST['token']!= $_SESSION['token']) { I didn't create this, but I can't remember where I first saw it. Of course, you still need to make sure that the information passed with your form is valid. Steve
This should help with some attacks. Include this in the web page with your form and pass the token as a hidden value. This will insure that the form you processed was actually filled out on your website. With the time session you can limit the time between when the form loads and when it is processed.
$_SESSION['token'] = $token;
$_SESSION['token_time'] = time();
echo "Invalid data!";
exit;
}
$token_age = time() - $_SESSION['token_time'];
if ($token_age >= LOGIN_TIME_LIMIT) {
// time limit can be set here as number instead
// of LOGIN_TIME_LIMIT define, such as 60*10
exit;
}