[FX.php List] How to handle security on web forms that are used more than once?

Jonathan Schwartz jschwartz at exit445.com
Sat Oct 13 20:06:17 MDT 2012

Hi Malcolm,

I have done a number of these "extended-application" systems for clients.

It's not really a security challenge, as much as it's the need for 
entire subsystem designed to deal with allowing users to create an 
account, start an application, save the current status, leave and be 
able to come back and log in to complete the process.

You also need to work out the business rules with the client, now 
that the system will allow a user to leave and come back...when?  An 
hour, a day, a week...etc. I also found that on these extended 
applications, there is often a need to refuse the submission and ask 
the applicant to provide more/better information.  Once the 
submission is accepted, there is a need to lock the application so 
that no further edits can be made. Also, with every user log in 
system, there is a need to provide a "lost password" subsystem.

There is nothing terribly hard about this.  It just has a tendency to 
grow to provide the logical elements that you don't think about until 
you actually get there.

I can point you to one or two production web site if you want to take a look.

Good luck!


At 12:43 PM +1100 10/14/12, Malcolm Fitzgerald wrote:
>I have a client who has a rather long application form they want to 
>put onto the web. The applicants are not expected to have all the 
>information required to complete the form. They may need a long time 
>(days) to gather the information. When they return to the web site 
>they should be able to return to their form. All that seems 
>straightforward but the security issues are not. What is the best 
>way to handle this?
>FX.php_List mailing list
>FX.php_List at mail.iviking.org

Jonathan Schwartz
Exit 445 Group
jonathan at exit445.com

More information about the FX.php_List mailing list