Guys,
I have an classic asp page which has a form submitting to itself. I have to prevent CSRF in the page. So, I went

with using a hidden random variable in the form and a session variable to store it. Here is similar code.

This works fine unless user clicks back button.If back button is clicked, Somehow the session and form value

don't match for first time (clicking on Add button). Next Clicking on Add works fine.

Please help me. I got Stuck here.

Any knowledge regarding session and back button is appreciated.


mypage.asp
------------
<html>
<body>

<%
if(request.form("add")="true") then
'here is the anti-csrf check
if(Int(session.Contents("uid"))=Int(request.form("uid"))) then

'Do some Critical DB operations
end if

end if

%>
<%
randomize
uid=rnd*10000+rnd*9
session("uid")=uid
%>
<form name="f1" action="mypage.asp" method="POST">
<input type="text" name="name"/>
<input type="hidden" name="add" value="true"/>
<input type="hidden" name="uid" value="<%=uid%>"/>
</form>

</body>
</html>