[PHP | MySQL] multi-page forms and SESSIONS vs HIDDEN form data

Question

I'm working on a 2 page form that POSTs a query to a database. Read-only, no writing. None of the information is confidential, nor will it every be.

The site must be 100% non-JS compliant, so Ajax and the like are not available. All I got is PHP, baby!

FORM-2's content is dependent on a fraction of the data in FORM-1, but ALL of the data in FORM-1 must also be submitted with the final query contained in FORM-2

It's occurred to me that I could do the data hand-off from FORM-1 to FORM-2 two different ways:

1) POST the FORM-1 variable data to a SESSION
2) POST the FORM-1 variable data to hidden fields on FORM-2

They seem about equally difficult/easy to implement, so I'm wondering about security and such...

Also, in either instance, if I FORM-1 -> FORM-2 -> Results and don't like my results, can I Back Button twice to FORM-1 and still have all the data checked, written, etc?

Answer 1

Technically, sessions break the "stateless" nature of the web and the other option is preferable. If security or the danger of someone submitting form2 from their own server with self-created values for form 1 really are problems, you could encrypt the data on submission of form 1 and store the encrypted data in a hidden field on form 2. (using mcrypt libraries -- I have some sample code).

Also, if we are being pedantic, the back button should not work with a POSTed form, since that would create problems with creating or destroying resources twice. But I think most modern browsers support it -- that is a function of the browser, not the server, though you could do things like require a unique value on each submission to stop it.

But realistically, almost everyone uses Session cookies almost all the time. It's much easier, there are lots of examples, and it's relatively secure.