Handling form security

So how do you maintain the form security about posting data to different page problem? For instance you have a member and he/she tries to change the personal settings and you redirected member to

www.domain.com/member/change/member_id

member changed the values and post the data to another page by changing the action with firebug or something else. For instance

www.domain.com/member/change/m开发者_运维百科ember_id_2

How do you handle this problem without using sessions?

This problem arises when there are no server side validations!

So, the solution is to have server side validations.

Why not use Session state? It's designed for that.

Alternatively use cookies or URL's with unique session style ID embedded in it, which allows you to tie it back to a specific user.

How do you handle members without session? Before modifying anything, check if the current user has the right to do so. For example, if you're user #1 and your details are at /members/change/1, you post to the same url, and with firebug you change the form to point to /members/change/2. When processing the form, you have to check if the userid in the form is the current user's id, and if not, display an error.

You could crypt the identity information (member_id) and add it as parameter or url path. When the request is posted to the member_id form, you can verify that the crypted member_id (which is part of the request) matches the member_id.