Thanks for the code that uses a session ID. Session IDs are cool, but I didn't want to spend a ton of time working the bugs out to implement it. I have been taking a different tactic. I sample the incoming IP address and compare it to my local netmask to see if the request is incoming from my local network. If it is, I allow things to be done, if it isn't, they get denied. To allow me to change things from way far away, I give it a secret word that turns off the check for a little while allowing me to change the temperature, close a door or whatever. The security gets turned back on automatically on expiration of a timer so I can't forget.
This has been working fine and I get occasional (not very often) attempts to open my garage doors or something, but never a sophisticated attack. On a device this dumb, sophisticated attacks just don't work. The secret word is in the code only and never goes out over the web so it should be good for a long time. The attempts to do things are most likely people clicking to see what happens, nothing bad, just curiosity. Curiosity is fine, I don't mind that at all.
I gotta take your example an try it.