[eluser]WanWizard[/eluser]
@n0xie:
If you also make the form field name random, how do you figure out which of the elements in the POST contains your nonce? Do you simply check the existence of the generated name (and if it exists, check the nonce)?
One of the issues I had with a simple key=>value session variable for the nonce was that a user can, within a session, have several screens open, all with forms. So you need to be able to track multiple issued nonces at once. I also use the nonce protection to protect against double posting (p.e. back button usage) by storing used nonces separately, with an expiry timestamp. If a form is posted with an invalid nonce, but the nonce exists in the used-list, I can issue an appropriate error message.
My template library automatically inserts nonce's in forms, and I've extended the form validation library so the run() method checks and validates the nonce as well. This way every form is automatically protected, and the developer doesn't have to worry about dealing with CSRF protection.
