Many sources suggest to add tokens to the forms to make form submitting more secure.
I added tokens to all forms in the forum and now I have the following problem:
some users open several browser tabs with different forum threads. Reply form is located below each thread. So, if user opens one browser tab with one thread, then another tab with another thread, the token in the first form is not valid anymore and user will get error if will try to submit the first form. Solution for such situations is captcha but I don’t want to make everything so complicated for my users.
Can you suggest any other method how to add security to the forms?
Thanks.
Why is the token invalidated when opening a new tab? As long as the token is generated from some secret known to the session or logged in user there should be no need to invalidate it when opening a new thread.
Here’s one way to do this:
Along with the normal measures for keeping the session secure (timeout, reset on login etc) this should keep your forms fairly safe without any inconvenience for the users.