Preventing Form Abuse With Temporal Caching And UUIDs
To prevent abuse, we've implemented a workflow that temporarily caches user-specific data and generates a token. Upon submission, the UUID is used to perform a look-up of cached data. If it doesn't exist or doesn't match, the attempt is rejected.
There's been many occasions where a user-specific payload has been generated (shopping cart, check out, config settings, processing results) and the user needs to be directed to a new destination with the data, but I want to avoid non-securely passing data as URL or form parameters or having to enable and/or leverage session variables. We've encountered issues where the content could be blocked due to complex WAF rules that are beyond our editable control... especially if there's anything that resembles HTML or contains certain sequences. There's also abuse issues as automated software can sca...