How to restrict my app to a single browser tab?

Question

Frankly, it\'s just causing too much hassle in in v1.0 to have a functionality which requires three form submissions, with $_SESSION session data holding all of

Answer 1

With every browser supporting tabbed browsing it would be a poor user experience to try to restrict browsing to a single tab (you might as well make a desktop app then).

One way you could solve this is by adding a CSRF token to your forms (as a hidden variable), that would be submitted with the request.

CSRF reference

There are many ways to generate the token, but essentially you:

1. create the token
2. store in your $_SESSION
3. output the form with

Then when the form submits you check $_REQUEST['{token name}'] == $_SESSION[{token name}]`.

If that token is different you know it wasn't the form you originally generated and thus can ignore the request until the real form comes in with the correct token.

One thing: if an attacker can figure out how you generate your CSRF tokens then they can forge requests.