by KallistaAEnvarou » 04. February 2008 11:58
OK, so how can I protect against that? I need to make sure that the $_POST data come from my site and my site alone, and no way I can think of can 100% protect, except this way. I've even thought of XSS, but even that won't completely work because they can look in the JavaScript to find out where to go to get the reset sessions, then fake the $_POST variable.