Transmitting the Correct Session Data when Multiple Tabs are Opened on a Web Browser

Question

I have a PHP script (script A) that makes a query to the database, stores the result in a session variable and produces a HTML page containing a form that allows the user to post a submission (optionally). Upon submission, the result stored in the session variable is used for processing in another script (script B).

As the HTML page is not unique, the user may open multiple tabs showing different pages generated by script A. Since the session variable can only hold data for the latest generated page, when the user clicks on any of the previous tabs and do a submission, the wrong set of session data will be used.

One way to preventing this from happening is to force the page to automatically reload before submission occurs. Is there any better and secure way to do this short of re-querying the database in script B?

Answer 1

a PHP script (script A) that makes a query to the database, stores the result in a session variable

What for? What's the point in storing data you already have?

Upon submission, the result stored in the session variable is used for processing in another script (script B)

What for? Why can't you submit your form directly to B?

I see no point in using sessions here at all. Or at least according to your current description.

Answer 2

Generate a secret token and a hash of it.

Add the secret token to your $_SESSION.

Add the hash to the form as a hidden input element.

On Submission, create the hash from the secret token in $_SESSION.

Compare it to the submitted hash. If it mismatches, you know that the form is wrong for your session.

You can extend that, by keying the data with the hash inside your $_SESSION:

$_SESSION[$hash] = your form data

Then you can even process multiple forms (and multiple form instances) correctly.