[FX.php List] How to handle security on web forms that are used more than once?

Malcolm Fitzgerald malcolm at notyourhomework.net
Sun Oct 14 17:51:15 MDT 2012

Hi Jonathon,

Your response confirms the general thoughts I had about this. I'll push all of this back to the client. They may feel that it is better (cheaper/easier) to provide an information sheet which describes all the requirements for the form. The applicants could then be prepared to complete the form in a single session. 


On 14/10/2012, at 1:06 PM, Jonathan Schwartz wrote:

> Hi Malcolm,
> I have done a number of these "extended-application" systems for clients.
> It's not really a security challenge, as much as it's the need for entire subsystem designed to deal with allowing users to create an account, start an application, save the current status, leave and be able to come back and log in to complete the process.
> You also need to work out the business rules with the client, now that the system will allow a user to leave and come back...when?  An hour, a day, a week...etc. I also found that on these extended applications, there is often a need to refuse the submission and ask the applicant to provide more/better information.  Once the submission is accepted, there is a need to lock the application so that no further edits can be made. Also, with every user log in system, there is a need to provide a "lost password" subsystem.
> There is nothing terribly hard about this.  It just has a tendency to grow to provide the logical elements that you don't think about until you actually get there.
> I can point you to one or two production web site if you want to take a look.
> Good luck!
> Jonathan
> At 12:43 PM +1100 10/14/12, Malcolm Fitzgerald wrote:
>> I have a client who has a rather long application form they want to put onto the web. The applicants are not expected to have all the information required to complete the form. They may need a long time (days) to gather the information. When they return to the web site they should be able to return to their form. All that seems straightforward but the security issues are not. What is the best way to handle this?
>> Malcolm_______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
> -- 
> Jonathan Schwartz
> Exit 445 Group
> jonathan at exit445.com
> http://www.exit445.com
> 415-370-5011
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

More information about the FX.php_List mailing list