Forum OpenACS Q&A: Response to Securing form submissions

Posted by carl garland on
One approach could be generate an nsv id that would consist of a list containing the referer page and time created. Example on your form input page: <P>

set tag_id [nsv_incr . security_tag_id] <BR>
nsv_set form_security_tags $tag_id [list [ns_time] [ns_conn url]]<P>

Also send the tag_id in the form as a hidden variable

Then in your target page call a validify proc that would check for the existence of the tag_id form variable, the existence of the nsv array variable, and confirm that the referer matches up.
You time stamp in the nsv_array makes it easy to schedule a procedure to cycle through the array and flush out any values that you may wish to expire after a certain time period.