A while ago I posted an entry that talked about the Dangers of using GET-Requests for actions that makes permanent changes to a site ( GET considered harmful; Sometimes). Jesse Ruderman made me aware that the avoidance of GET is not enough, and that the problem I described actually belongs to the wider area of Cross-Site Request Forgeries(CSRF).
POST raises the bar
Why POST is not enough
Unique Tokens are the solution
When processing forms we have to make sure, that the form originated from our site, and was not simply copied over to somewhere else. The way to do this is via unique tokens that we pass as hidden values in the Form. Upon posting the form, we check the posted token with the token we saved locally, and only execure the requested action if they match.
Because these tokens are unique and they change with each request, it is not possible for a potential attacker to correctly “guess” or find out that token.
If you need more information please see the below links, they have some additional infromation and also explain the better known XSS-Attacks.
 CSRF-Explanation by Peter W. (via Jesse Ruderman)
 Chris Shiflett: Foiling Cross-Site Attacks (second half of the page)
 Web Application Security (MIT security camp) [.pdf, ~300kb]
 Chris Shiflett: PHP Security Workbook 55 Page PDF covering all major areas (Spoofing, XSS, CSRF, SQL Injections, Sessions, etc.)