I have a PHP script (script A) that makes a query to the database, stores the result in a session variable and produces a HTML page containing a form that allows the user to post a submission (optionally). Upon submission, the result stored in the session variable is used for processing in another script (script B).
As the HTML page is not unique, the user may open multiple tabs showing different pages generated by script A. Since the session variable can only hold data for the latest generated page, when the user clicks on any of the previous tabs and do a submission, the wrong set of session data will be used.
One way to preventing this from happening is to force the page to automatically reload before submission occurs. Is there any better and secure way to do this short of re-querying the database in script B?
Generate a secret token and a hash of it.
Add the secret token to your
$_SESSION.Add the hash to the form as a hidden input element.
On Submission, create the hash from the secret token in
$_SESSION.Compare it to the submitted hash. If it mismatches, you know that the form is wrong for your session.
You can extend that, by keying the data with the hash inside your
$_SESSION:Then you can even process multiple forms (and multiple form instances) correctly.