Detecting a form's POST

M

MDW

Say I've got a page - myPage.asp - that expects to see the
results of a form's POST operation. If it comes from the
form, all is fine.

However, if someone were to manually type the address in
the address bar - http://www.mysite.com/myPage.asp - I'd
like to be able to detect that they're trying to
circumvent the form and redirect them to the appropriate
page using Response.Redirect().

What's the best way to tell whether a page is coming as
the result of a POST operation?
 
M

MDW

Hmmmm....

What about something like this:

strID = Request.Form
("ImportantValueWithoutWhichPageWouldntWork")

If strID = "" Then

Response.Redirect("useTheFormYouDope.asp")

End If


-----Original Message-----
Request.ServerVariables("REQUEST_METHOD") will tell you if it was posted or
getted (?). But, I can make C:\PathOnMyComputer\page.htm with:

<form method="post"
action="http://www.yoursite.com/yourpage.asp"> and post
 
R

Randy R

What's the best way to tell whether a page is coming as
the result of a POST operation?

What about setting a session variable on the page where the form is and
checking if that session variable is valid on the next page. If it's not,
then you can redirect them back to the form.
 
R

Ray at

That would work, but, I could put <input
value="ImportantValueWithoutWhichPageWouldntWork"> in my form as well. Have
you seen those "validation ticket" things on websites where you have to
enter a string of characters into a textbox on the form from reading an
image that contains the string of characters? IE, go to www.godaddy.com,
look up a domain that is taken, and then do a whois. You have to enter a
ticket number. I think you'd have to do something like that to be 100% sure
that the person is submitting from your form.

You could also use cookies or sessions to be 99% sure.

Also, you could write a cookie on the page with your form that is a random
string and another one with an ID and also store that value in a DB,
temporarily. Then, when the form is sumitted, you could look up the cookie
ID in the database and see if the random string matches from the DB and the
other cookie that the client sent.

Ray at work
 
M

MDW

Yeah, I could do that. But in all honesty.... *L* If
someone is trying to fool my site like that, they must be
REALLY bored.

Thx for the ideas. I'll play around, probably do some
combination of them. Just trying to idiot-proof my site.
 
R

Ray at

Yeah, I mean, if you think about it, what harm can be done? They still can
only submit what your site will accept. Just control field lengths and
things on the server instead of relying on things like "maxlength" in the
inputs, and everything should be okay.

Ray at work
 
E

Evertjan.

MDW wrote on 07 jul 2003 in microsoft.public.inetserver.asp.general:
Hmmmm....

What about something like this:

strID = Request.Form
("ImportantValueWithoutWhichPageWouldntWork")

If strID = "" Then

Response.Redirect("useTheFormYouDope.asp")

End If

I would add a test of Request.ServerVariables("HTTP_REFERER") [yes, I know
this sometimes fails] to acertain that the posting page was mine.
 
M

Mosley

MDW said:
Yeah, I could do that. But in all honesty.... *L* If
someone is trying to fool my site like that, they must be
REALLY bored.


why dont you use rays idea
Request.ServerVariables("REQUEST_METHOD")

With
Request.ServerVariables("HTTP_REFERER")
as well

that will tell you the method used and what page it came from
 
D

Dave Anderson

Randy R said:
What about setting a session variable on the page where the
form is and checking if that session variable is valid on
the next page. If it's not, then you can redirect them back
to the form.

This only tests whether there is a valid session, not whether the form
submission originated from one of his pages. Certainly a user could have a
valid session, yet still submit a request from a self-created form.

The short answer to the original question is that there is little you can
ever safely assume about the content of the request. Your application design
should reflect this.

Evaluate the request in its entirety, always assuming the user constructed
the request himself. Most of the things you can do take little more than
common sense: Ask yourself which items could be spoofed and with what
likelihood (session cookies are more difficult to guess/spoof than form
name-value pairs, for example). Make sure REMOTE_HOST hasn't changed since
the session was generated. Use SSL where security is *really* needed.


--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top