If you pass a session id around all you need to do is store all the data on the server and then no one can 'pick off parameters to use them'. Alternatively I will often pass hidden params plus a nMD5 hash around. If you have X params you want fixed make an MD5 hash (plus a secret string) and pass that around to.

An MD5 hash is very predictable if you hash just the values you store in hidden fields as MD5( 'this data' . 'that data' ) == MD5( 'this data' . 'that data' ) so your hash should be MD5( 'this data' . 'that data' . 'my secret string so no one can hash my hidden params and compute the hash using an educated guess/minimal brute force' ).

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print