I have a Controller with 2 functions - PostForm() and doPost(), to show form and to handle POST action accordingly. In my form I want to add my own field, something like captcha. I store current time in session and add this value to the form as hidden field.
After posting the form I compare session and POST values. But in my case these values always different. After some logging I found that after posting the form, PostForm() called just before doPost() to obtain form fields, I guess, so my session value rewrited.
And my question - how can I avoid this behavior? To store session in some private place? or to add condition based on URL?
All advices are welcome!
Thank you Devlin for you interest.
In my case security token is not enough just because is it not difficult to parse it by some spam engine. I want to disallow comments posted in 60 sec after page was loaded. so I store time in session and check it on form sibmittion. Hidden field here is not so necessary, just one more verification.
Let's say there is no hidden field, just session.