Forum OpenACS Q&A: Response to Ben's scary authentication bug.

As I recall checking the referer was an adequate solution, but (?)
caused problems with older browsers. An off-the-top-of-my-head
fix this problem would be to add a list of callers to
ad_page_contract and then if the referer didn't match put up a
"do you really want to do this?" screen. (then of course people
spoof the "really want to do this screen") Another option is to add
a secret hash into submissions -- this goes along with the
doubleclick stuff people were talking about.

But all of this is more along the lines of ACS4 fixes -- there's no
easy way to close the hole for past versions.