On Oct 24, 9:48 pm, Brian M <bmere...@gmail.com> wrote: > How about include all the calculated values in your form and add in an > additional field that's a HMAC keyed hash of the others using a key > that only you know? When the user submits, make sure the rest of the > field values still combine & hash the same way and then you'll know > the user hasn't messed with the form.
Thanks for the comment. It's very clever, but too much work. I am rather going to keep my calculated values in the server-side session, and always fetch them from there. The client will only every submit an index into that server-side hash. I am fairly sure now that this is the way to go here.
