server is coming from my server, and not from a form someone
else pieced together (in an attempt to hack my system)? I
assume I need to check the referer information, but beyond that,
I'm not sure where to start.
In general, you need to consider that every page on your web site
is a program with inputs that can be manipulated by a
mischievous individual. You *cannot* trust any of the inputs to
your web page. Thus, you must check that supposed integers
are indeed integers. You must ensure that you don't send the
user_id back and forth as a hidden form variable. Etc.... Every
input to your web page should be considered insecure.
Web security is hard....
set tag_id [nsv_incr . security_tag_id] <BR>
nsv_set form_security_tags $tag_id [list [ns_time] [ns_conn url]]<P>
Also send the tag_id in the form as a hidden variable
Then in your target page call a validify proc that would check for the existence of the tag_id form variable, the existence of the nsv array variable, and confirm that the referer matches up.
You time stamp in the nsv_array makes it easy to schedule a procedure to cycle through the array and flush out any values that you may wish to expire after a certain time period.