Using SSL, login validation for user session and validating the session each request I would consider a best practices. Joomla provides a mechanism to display a form token field:
echo JHtml::_('form.token');
If you need to attach the token to a URL. The tmpl=componen parameter is important when wanting to render HTML snippets. This flags Joomla to render only the components view, otherwise you would get your entire website; menus, modules and all back:
echo JRoute::(JUri::root() . '?option=com_mycomponent&view=userscreen&tmpl=component&' . JUtility::getToken() . '=1');
And on the other end of the request server side, using the above path as an example, could be received with the controller:
class MineControllerUserScreen extends JControllerLegacy
{
public function display($cachable = false, $urlparams = array())
{
// Validate the session is valid, die if isn't
JRequest::checkToken() or die( JText::_( 'Invalid Token' ) );
// Load the current user object for the active session if needed
$user = JFactory::getUser();
// Load the Session object for further validation if needed
$session = JFactory::getSession();
// Load sanitized items from POST and GET
$jinput = JFactory::getApplication()->input;
$answer = $jinput->get('user_answer', null, 'string');
// You are satisfied this person is allowed to get this
parent::display($cachable, $urlparams);
}
}
This use case should be handled within the controller. The above example lists many possible options for getting secure data from Joomla you could use; but for your case I think incorporating your existing question/answer as a POST variable request, which passes both token and user validation should do the trick.
Here's a general Joomla document on secure coding guidelines.
http://docs.joomla.org/Secure_coding_guidelines
