diff --git a/code/model/UserDefinedForm.php b/code/model/UserDefinedForm.php
index 9645f1d..56187d6 100755
--- a/code/model/UserDefinedForm.php
+++ b/code/model/UserDefinedForm.php
@@ -1045,6 +1045,12 @@ JS
 		Session::clear("FormInfo.{$form->FormName()}.data");
 		
 		$referrer = (isset($data['Referrer'])) ? '?referrer=' . urlencode($data['Referrer']) : "";
+
+
+		// set a session variable from the security ID to stop people accessing the finished method directly
+		if (isset($data['SecurityID'])) {
+			Session::set('FormProcessed',$data['SecurityID']);
+		}
 		
 		return $this->redirect($this->Link() . 'finished' . $referrer);
 	}
@@ -1058,6 +1064,19 @@ JS
 	public function finished() {
 		$referrer = isset($_GET['referrer']) ? urldecode($_GET['referrer']) : null;
 		
+		$formProcessed = Session::get('FormProcessed');
+		if (!isset($formProcessed)) {
+				return $this->redirect($this->Link() . $referrer);
+		} else {
+			$securityID = Session::get('SecurityID');
+			// make sure the session matches the SecurityID and is not left over from another form
+			if ($formProcessed != $securityID) {
+				return $this->redirect($this->Link() . $referrer);
+			}
+		}
+		// remove the session variable as we do not want it to be re-used
+		Session::clear('FormProcessed');
+
 		return $this->customise(array(
 			'Content' => $this->customise(
 				array(
diff --git a/tests/UserDefinedFormControllerTest.php b/tests/UserDefinedFormControllerTest.php
index d159a23..f05a7ba 100644
--- a/tests/UserDefinedFormControllerTest.php
+++ b/tests/UserDefinedFormControllerTest.php
@@ -59,10 +59,27 @@ class UserDefinedFormControllerTest extends FunctionalTest {
 	
 	function testFinished() {
 		$form = $this->setupFormFrontend();
+
+		// set formProcessed and SecurityID to replicate the form being filled out
+		$this->session()->inst_set('SecurityID', 1);
+		$this->session()->inst_set('FormProcessed', 1);
+
 		$response = $this->get($form->URLSegment.'/finished');
 		
 		$this->assertContains($form->OnCompleteMessage ,$response->getBody());
 	}
+
+	function testAppendingFinished() {
+		$form = $this->setupFormFrontend();
+
+		// replicate finished being added to the end of the form URL without the form being filled out
+		$this->session()->inst_set('SecurityID', 1);
+		$this->session()->inst_set('FormProcessed', null);
+
+		$response = $this->get($form->URLSegment.'/finished');
+		
+		$this->assertNotContains($form->OnCompleteMessage ,$response->getBody());
+	}
 	
 	function testForm() {
 		$form = $this->objFromFixture('UserDefinedForm', 'basic-form-page');