Only Allow My Server to Post Data From a PHP Form

Been searching online for an answer and can't find anything.  Let's say I have a simple PHP form.  It uses session variables so it knows the user's username.  Is there a way to prevent a user from logging in, then opening another tab in their browser and using a copy of that form located on their server and submitting the values to my form that processes the values?  I know I can check the header, but that can be faked.  Same thing with the IP address.  I just want to be able to know with certainty that when a form is submitted, it came from a user using my form on my server.  My actual need is a little more complicated than this, but the general premise is the same, so I tried to make it as simple as possible.  Thanks.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Trenton KnewOwner / Computer WhispererCommented:
can you have your form look for a file stored in a private directory prior to submission?  I would imagine you could have this file in a folder inaccessible to the outside world, but browseable by the script using a relative path?  If file not exist, then form doesn't work.  I can't give more specifics than this with my limited knowledge, unfortunately, but maybe this sets you on the right path.
Dave BaldwinFixer of ProblemsCommented:
It's true that the 'HTTP_REFERER' can be faked but it is not nearly so easy to fake the IP address.  The IP address is part of the actual connection in the network and not something sent along by the source.  And... the 'REMOTE_ADDR' is going to be the client's IP address.  And since your server's IP address should always be the same it doesn't make any sense to check that.  I always check the 'HTTP_REFERER' too because spammers are generally too lazy to fake it.

On the other hand... if it is the same form with the same values... what difference does it make?  They are already on your site if they can copy the form page.  If they are not on your site then the session id is not going to match and the $_SESSION data isn't going to be there either.

I check up to 6 different things on a POST page.  I usually track the 'REMOTE_ADDR' so I can see if the posts are coming from the same place, I check the 'HTTP_REFERER' which should be the HTML form page where the data was entered, I check the $_SESSION data where appropriate, and I find various ways of including details in the form post that I can check.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ray PaseurCommented:
Use a CAPTCHA test.

But really, what Dave Baldwin said: "On the other hand... if it is the same form with the same values... what difference does it make?"
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Jason92sAuthor Commented:
Thanks All.  It would take all day to explain why I'm really asking, but this definitely points me in the right direction and will solve my issue.
Dave BaldwinFixer of ProblemsCommented:
You're welcome, glad to help.  Basically, the more different things you can check, the more you can 'secure' your form.  Most people who try to break in are generally lazy, they don't want to work any harder than they have to.  

One thing that is useless is 'hidden' input fields.  Those will be collected the first time someone scans your form page.

One thing that is Necessary for any kind of 'private' or 'personal' data is SSL/TLS for HTTPS encryption.  People who have the resources to capture your network traffic will be able to 'see' everything if it is not encrypted using SSL/TLS.
Jason92sAuthor Commented:
Excellent points Dave, thanks again for all your help on this. It's very much appreciated.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.