diff --git a/entityform.admin.inc b/entityform.admin.inc
index 39f69da..f8d755a 100644
--- a/entityform.admin.inc
+++ b/entityform.admin.inc
@@ -402,6 +402,12 @@ function entityform_edit_form_submit(&$form, &$form_state) {
         $entityform_type->data['redirect_path'];
       }
       else {
+        global $user;
+        if (empty($user->uid)) {
+          //for anonymous users we must store the id of their submussion in the session
+          drupal_session_start();
+          $_SESSION['entityform_submission'] = $entityform->entityform_id;
+        }
         $confirm_path = entity_ui_controller('entityform')->confirm_path($entityform->type, $entityform->entityform_id);
         $form_state['redirect'] = array($confirm_path[0], $confirm_path[1]);
       }
diff --git a/entityform.module b/entityform.module
index c67d870..401647f 100644
--- a/entityform.module
+++ b/entityform.module
@@ -238,7 +238,22 @@ function entityform_access($op, $entityform = NULL, $account = NULL) {
       }
       return FALSE;
     }
-    return entityform_user_submitted($type_name);
+    //confirm page
+    $entityform_id = $_GET['entityform_id'];
+    if (empty($user->uid)) {
+      // If this is anonymous user then entityform_id should be stored in session
+      if (!isset($_SESSION['entityform_submission'])) {
+        return FALSE;
+      }
+      $match = $_SESSION['entityform_submission'] == $entityform_id;
+      unset($_SESSION['entityform_submission']);
+      return $match;
+    }
+    else {
+      $entityform = entityform_load($entityform_id);
+      //only grant access if this is the user who made the submission
+      return $entityform->uid == $user->uid;
+    }
     // return user_access("submit $type_name entityform");
   }
   if ($op == 'confirm') {