>>>>> "Ed" == Ed Park <[EMAIL PROTECTED]> writes:
Ed> Has anyone else thought about this?
If you're generating the form on the fly (and who isn't, these days?),
just spit a serial number into a hidden field. Then lock out two or
more submissions with the same serial number, with a 24-hour retention
of numbers you've generated. That'll keep 'em from hitting "back" and
resubmitting too.
To keep DOS attacks at a minimum, it should be a cryptographically
secure MD5, to prevent others from lojacking your session.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[EMAIL PROTECTED]> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
