Henry Wong wrote:Another option would be to switch to using POST forms -- instead of GET. And using https.
Yes, but more fundamentally, never trust anything from the client.
Its much more secure to send a random nonce to the user, put it in a hidden field. Use the nonce in your server to index into a HashMap to get whatever data you need.
Using POST and HTTPS is good, but still implies that you are trusting the client software. And it may not be what you think it is.