Storing previous URL as session data

[eluser]n0xie[/eluser]
That's all assuming the MD5 seed is random. Since you use time() as basis, the possible MD5 outcome is reduced incredibly. That and the fact that you're not trying to break MD5, just try to accomplish a collision, makes the chance a lot more likely.

For example. Time gives the current timestamp. This 'simply' generates 60 hashes per second which are predefined. That's a lot less 'probability' than what you are proposing.

But the point wasn't that MD5 is insecure, or that brute-forcing MD5 isn't that hard these days. The point is that if you don't use GET but a simple POST request (including a nonce), all these problems go away. Not only that, but you are implementing the HTTP specs as it was intended.