Basically : you cannot.
With the HTTP protocol, each request is independent from the others.
A first idea would be to check the Referer HTTP header, but note that :
- It can be faked (it's sent by the browser)
- It is not always present.
So : not a reliable solution.
A possible, and far better than the Referer idea, solution could be to use a nonce :
- When displaying the form, put a hidden input field in it, containing a random value
- At the same time, store that random value into the session that correspond to the user.
- When the form is submitted, check that the hidden field has the same value as the one that's stored in session.
If those two values are not the same, refuse to use the submitted data.
Note : this idea is often used to help fight against CSRF -- and integrated in the "Form" component of some Frameworks (Zend Framework, for instance).
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…