I'm working on securing a form that is used for gathering info for online insurance quotes. The problem we've been having is that some insurance agents and rating services have been stealing our form and trying to use it on their sites. Well, there is info that we use to automatically populate certain hidden variables used in the form handling script. And as each page in the form is assembled from a number of CFCs and CFM includes, just yanking the HTML pages served creates a mess on their sites, but a mess that is not apparent to them until later when they try to issue a policy based on the quote and their info is not producing the results they expect, as data mismatches and rules violations are thrown when sent for final quoting. We've already been able to track when agents we know who have been using such pages do so, but it has come to our attention that this is a more widespread problem than we had originally thought. On the other end, we are working on ways to clean up and validate the data, but it would help if we could stop this on the front end as well.
Since we can't hide the HTML code served without buying HTML page encryption software, we have considered a number of strategies to try to track or stop unknown users. They boil down to two possibilities:
1. Create a random string as a token to be stored in a database table. Populate a hidden field with it. The token can only be used once. If detected in subsequent requests, stop the transaction.
2. Pass the page name of the template containing the form (used as a cfinclude in the page serving the form) as a session or request variable. Use this to authenticate the transaction.
Is there anything that might work better than either of these?