How to restrict my app to a single browser tab?

Question

Frankly, it\'s just causing too much hassle in in v1.0 to have a functionality which requires three form submissions, with $_SESSION session data holding all of

Answer 1

A better design would be to avoid storing user interaction state in the session. Put it in hidden form fields or something so that each client request carries its associated state with it. If you're concerned about the user tampering with it, use an HMAC to prevent that, and possibly encrypt it if it contains things the user shouldn't be able to see.

Only state that should be shared between tabs — like the user's login identity, or something like a shopping cart — should be stored in the session.