I'd like to create a token, as a hidden input, to keep a form 'pure'. I'd like to prevent someone from altering the form. Here's an example:
- user loads page with form
- - before the page is sent to the user
- - a token is created // token = hash(time + salt) perhaps?
- - token is stored in database (assuming there are no duplicates) with timestamp
- - token and timestamp are inserted into the form as hidden inputs
- page is loaded
- user submits form
- - token and timestamp are submitted with form data
- - check database for token and timestamp
- - if exists, continue and remove row from database
- - if not exists, fail and start over with new token
What do you think? I'm looking for a best practice, is there a better way?