session security opinion requested
Posted: Fri Jan 13, 2006 1:35 pm
I have a contact form that when the form is submitted, if it errors it passes back to the form with an &error=field on the URL. The error is looked at and displays an error message based on what is wrong.
I'm using a $_session to pass the info back to the form so it's still filled out the way they left it.
If they successfully submit the form, the thank you page will destroy the session data.
If they navigate away from the unfinished form and come back to it through link, the session is destroyed.
The only minor issue I see is if they navigate away from the errored form and don't come back to it, the session isn't destroyed. What can happen if the session isn't destroyed?
Is there a major concern with this?
I'm using a $_session to pass the info back to the form so it's still filled out the way they left it.
If they successfully submit the form, the thank you page will destroy the session data.
If they navigate away from the unfinished form and come back to it through link, the session is destroyed.
The only minor issue I see is if they navigate away from the errored form and don't come back to it, the session isn't destroyed. What can happen if the session isn't destroyed?
Is there a major concern with this?