Originally Posted by Redcoder
The problem is....a good secure login regenerates session IDs/keys at the end of the session/session timeout/logout. So having to compare with session values...that is only possible in where the session IDs are not regenrated and therefore a secure-ish system which is prone to attacks, which I don't think any programmer aims for. See? Ajax based draft saving is the most secure.
No I disagree. The session can't be attacked if its had all of its variables unset / deleted and can be recycled for another user on the same computer in a similar way to thread pooling in windows socket apps. Besides, the ID wasn't that of the session i meant.
What I meant, was put the USERS ID in the form so that it can be checked against the current user who logs in. If the two match, it's the correct user so process the stored http data. If its a different user id that has logged on then the data can be dumped or stored in the previous users account somewhere.
Ajax is also fine to use BUT it can be a pita on the browser and CPU resources.