How secure is flash[:notice] ? I’m working on a website that captures
fairly sensitive information. Someone fills out a form with this info
(over SSL), then it submits to a confirmation screen. From the
confirmation screen it submits to a “save” action and outputs the
results. But the problem is, if someone hits refresh a few times it
saves multiple times.
I modified the save function to set flash[:notice] = @sensitivedata and
do a redirect_to to an action that reads back the @sensitivedata from
flash[:notice] to display on the final save page. That way if they hit
refresh it won’t resave anything.
Would it be possible for another website user to accidentally be served
the flash[:notice] of another person? I may just redirect_to the final
screen and reread the data back from the database, but thinking about
all this made me wonder how secure flash[:notice] really is.