On Tue, 2006-01-10 at 10:39 -0500, Michael Graham wrote: > I think the way to do anti-tampering is to keep a pseudo-random > string in the user's session under 'form_state_secret'. Then take this > string along with the form state id and the current time and make a > hash. Add the time and the hash to the hidden field. The hidden field > would end up looking something like this: > > <input type="hidden" name="cap_form_state" > value="3:1136895378:84eb13cfed01764d9c401219faa56d53"> > > When fetching the cap_form_state field, split the id, time and hash and > check to make sure that the hash matches the id, time and secret.
Usually the secret is just kept on the server-side. You shouldn't need to send that to the user. There's a good example of this in the Eagle book and in this on-line chapter from CGI Programming with Perl: http://www.oreilly.com/catalog/cgi2/chapter/ch08.html - Perrin --------------------------------------------------------------------- Web Archive: http://www.mail-archive.com/cgiapp@lists.erlbaum.net/ http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2 To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]