Detecting a form's POST

Discussion in 'ASP General' started by MDW, Jul 7, 2003.

  1. MDW

    MDW Guest

    Say I've got a page - myPage.asp - that expects to see the
    results of a form's POST operation. If it comes from the
    form, all is fine.

    However, if someone were to manually type the address in
    the address bar - http://www.mysite.com/myPage.asp - I'd
    like to be able to detect that they're trying to
    circumvent the form and redirect them to the appropriate
    page using Response.Redirect().

    What's the best way to tell whether a page is coming as
    the result of a POST operation?
     
    MDW, Jul 7, 2003
    #1
    1. Advertising

  2. MDW

    Ray at Guest

    Request.ServerVariables("REQUEST_METHOD") will tell you if it was posted or
    getted (?). But, I can make C:\PathOnMyComputer\page.htm with:

    <form method="post" action="http://www.yoursite.com/yourpage.asp"> and post
    to it.

    Ray at work

    "MDW" <> wrote in message
    news:776801c34499$33c80f20$...
    > Say I've got a page - myPage.asp - that expects to see the
    > results of a form's POST operation. If it comes from the
    > form, all is fine.
    >
    > However, if someone were to manually type the address in
    > the address bar - http://www.mysite.com/myPage.asp - I'd
    > like to be able to detect that they're trying to
    > circumvent the form and redirect them to the appropriate
    > page using Response.Redirect().
    >
    > What's the best way to tell whether a page is coming as
    > the result of a POST operation?
     
    Ray at, Jul 7, 2003
    #2
    1. Advertising

  3. MDW

    MDW Guest

    Hmmmm....

    What about something like this:

    strID = Request.Form
    ("ImportantValueWithoutWhichPageWouldntWork")

    If strID = "" Then

    Response.Redirect("useTheFormYouDope.asp")

    End If



    >-----Original Message-----
    >Request.ServerVariables("REQUEST_METHOD") will tell you

    if it was posted or
    >getted (?). But, I can make C:\PathOnMyComputer\page.htm

    with:
    >
    ><form method="post"

    action="http://www.yoursite.com/yourpage.asp"> and post
    >to it.
    >
    >Ray at work
    >
    >"MDW" <> wrote in message
    >news:776801c34499$33c80f20$...
    >> Say I've got a page - myPage.asp - that expects to see

    the
    >> results of a form's POST operation. If it comes from the
    >> form, all is fine.
    >>
    >> However, if someone were to manually type the address in
    >> the address bar - http://www.mysite.com/myPage.asp - I'd
    >> like to be able to detect that they're trying to
    >> circumvent the form and redirect them to the appropriate
    >> page using Response.Redirect().
    >>
    >> What's the best way to tell whether a page is coming as
    >> the result of a POST operation?

    >
    >
    >.
    >
     
    MDW, Jul 7, 2003
    #3
  4. MDW

    Randy R Guest

    > What's the best way to tell whether a page is coming as
    > the result of a POST operation?


    What about setting a session variable on the page where the form is and
    checking if that session variable is valid on the next page. If it's not,
    then you can redirect them back to the form.
     
    Randy R, Jul 7, 2003
    #4
  5. MDW

    Ray at Guest

    That would work, but, I could put <input
    value="ImportantValueWithoutWhichPageWouldntWork"> in my form as well. Have
    you seen those "validation ticket" things on websites where you have to
    enter a string of characters into a textbox on the form from reading an
    image that contains the string of characters? IE, go to www.godaddy.com,
    look up a domain that is taken, and then do a whois. You have to enter a
    ticket number. I think you'd have to do something like that to be 100% sure
    that the person is submitting from your form.

    You could also use cookies or sessions to be 99% sure.

    Also, you could write a cookie on the page with your form that is a random
    string and another one with an ID and also store that value in a DB,
    temporarily. Then, when the form is sumitted, you could look up the cookie
    ID in the database and see if the random string matches from the DB and the
    other cookie that the client sent.

    Ray at work

    "MDW" <> wrote in message
    news:0af401c3449a$d45b4730$...
    > Hmmmm....
    >
    > What about something like this:
    >
    > strID = Request.Form
    > ("ImportantValueWithoutWhichPageWouldntWork")
    >
    > If strID = "" Then
    >
    > Response.Redirect("useTheFormYouDope.asp")
    >
    > End If
    >
    >
    >
    > >-----Original Message-----
    > >Request.ServerVariables("REQUEST_METHOD") will tell you

    > if it was posted or
    > >getted (?). But, I can make C:\PathOnMyComputer\page.htm

    > with:
    > >
    > ><form method="post"

    > action="http://www.yoursite.com/yourpage.asp"> and post
    > >to it.
    > >
    > >Ray at work
    > >
    > >"MDW" <> wrote in message
    > >news:776801c34499$33c80f20$...
    > >> Say I've got a page - myPage.asp - that expects to see

    > the
    > >> results of a form's POST operation. If it comes from the
    > >> form, all is fine.
    > >>
    > >> However, if someone were to manually type the address in
    > >> the address bar - http://www.mysite.com/myPage.asp - I'd
    > >> like to be able to detect that they're trying to
    > >> circumvent the form and redirect them to the appropriate
    > >> page using Response.Redirect().
    > >>
    > >> What's the best way to tell whether a page is coming as
    > >> the result of a POST operation?

    > >
    > >
    > >.
    > >
     
    Ray at, Jul 7, 2003
    #5
  6. MDW

    MDW Guest

    Yeah, I could do that. But in all honesty.... *L* If
    someone is trying to fool my site like that, they must be
    REALLY bored.

    Thx for the ideas. I'll play around, probably do some
    combination of them. Just trying to idiot-proof my site.


    >-----Original Message-----
    >That would work, but, I could put <input
    >value="ImportantValueWithoutWhichPageWouldntWork"> in my

    form as well. Have
    >you seen those "validation ticket" things on websites

    where you have to
    >enter a string of characters into a textbox on the form

    from reading an
    >image that contains the string of characters? IE, go to

    www.godaddy.com,
    >look up a domain that is taken, and then do a whois. You

    have to enter a
    >ticket number. I think you'd have to do something like

    that to be 100% sure
    >that the person is submitting from your form.
    >
    >You could also use cookies or sessions to be 99% sure.
    >
    >Also, you could write a cookie on the page with your form

    that is a random
    >string and another one with an ID and also store that

    value in a DB,
    >temporarily. Then, when the form is sumitted, you could

    look up the cookie
    >ID in the database and see if the random string matches

    from the DB and the
    >other cookie that the client sent.
    >
    >Ray at work
    >
    >"MDW" <> wrote in message
    >news:0af401c3449a$d45b4730$...
    >> Hmmmm....
    >>
    >> What about something like this:
    >>
    >> strID = Request.Form
    >> ("ImportantValueWithoutWhichPageWouldntWork")
    >>
    >> If strID = "" Then
    >>
    >> Response.Redirect("useTheFormYouDope.asp")
    >>
    >> End If
    >>
    >>
    >>
    >> >-----Original Message-----
    >> >Request.ServerVariables("REQUEST_METHOD") will tell you

    >> if it was posted or
    >> >getted (?). But, I can make

    C:\PathOnMyComputer\page.htm
    >> with:
    >> >
    >> ><form method="post"

    >> action="http://www.yoursite.com/yourpage.asp"> and post
    >> >to it.
    >> >
    >> >Ray at work
    >> >
    >> >"MDW" <> wrote in message
    >> >news:776801c34499$33c80f20$...
    >> >> Say I've got a page - myPage.asp - that expects to

    see
    >> the
    >> >> results of a form's POST operation. If it comes from

    the
    >> >> form, all is fine.
    >> >>
    >> >> However, if someone were to manually type the

    address in
    >> >> the address bar - http://www.mysite.com/myPage.asp -

    I'd
    >> >> like to be able to detect that they're trying to
    >> >> circumvent the form and redirect them to the

    appropriate
    >> >> page using Response.Redirect().
    >> >>
    >> >> What's the best way to tell whether a page is coming

    as
    >> >> the result of a POST operation?
    >> >
    >> >
    >> >.
    >> >

    >
    >
    >.
    >
     
    MDW, Jul 7, 2003
    #6
  7. MDW

    Ray at Guest

    Yeah, I mean, if you think about it, what harm can be done? They still can
    only submit what your site will accept. Just control field lengths and
    things on the server instead of relying on things like "maxlength" in the
    inputs, and everything should be okay.

    Ray at work

    "MDW" <> wrote in message
    news:01d701c3449f$a9fd3b60$...
    > Yeah, I could do that. But in all honesty.... *L* If
    > someone is trying to fool my site like that, they must be
    > REALLY bored.
    >
    > Thx for the ideas. I'll play around, probably do some
    > combination of them. Just trying to idiot-proof my site.
    >
    >
    > >-----Original Message-----
    > >That would work, but, I could put <input
    > >value="ImportantValueWithoutWhichPageWouldntWork"> in my

    > form as well. Have
    > >you seen those "validation ticket" things on websites

    > where you have to
    > >enter a string of characters into a textbox on the form

    > from reading an
    > >image that contains the string of characters? IE, go to

    > www.godaddy.com,
    > >look up a domain that is taken, and then do a whois. You

    > have to enter a
    > >ticket number. I think you'd have to do something like

    > that to be 100% sure
    > >that the person is submitting from your form.
    > >
    > >You could also use cookies or sessions to be 99% sure.
    > >
    > >Also, you could write a cookie on the page with your form

    > that is a random
    > >string and another one with an ID and also store that

    > value in a DB,
    > >temporarily. Then, when the form is sumitted, you could

    > look up the cookie
    > >ID in the database and see if the random string matches

    > from the DB and the
    > >other cookie that the client sent.
    > >
    > >Ray at work
    > >
    > >"MDW" <> wrote in message
    > >news:0af401c3449a$d45b4730$...
    > >> Hmmmm....
    > >>
    > >> What about something like this:
    > >>
    > >> strID = Request.Form
    > >> ("ImportantValueWithoutWhichPageWouldntWork")
    > >>
    > >> If strID = "" Then
    > >>
    > >> Response.Redirect("useTheFormYouDope.asp")
    > >>
    > >> End If
    > >>
    > >>
    > >>
    > >> >-----Original Message-----
    > >> >Request.ServerVariables("REQUEST_METHOD") will tell you
    > >> if it was posted or
    > >> >getted (?). But, I can make

    > C:\PathOnMyComputer\page.htm
    > >> with:
    > >> >
    > >> ><form method="post"
    > >> action="http://www.yoursite.com/yourpage.asp"> and post
    > >> >to it.
    > >> >
    > >> >Ray at work
    > >> >
    > >> >"MDW" <> wrote in message
    > >> >news:776801c34499$33c80f20$...
    > >> >> Say I've got a page - myPage.asp - that expects to

    > see
    > >> the
    > >> >> results of a form's POST operation. If it comes from

    > the
    > >> >> form, all is fine.
    > >> >>
    > >> >> However, if someone were to manually type the

    > address in
    > >> >> the address bar - http://www.mysite.com/myPage.asp -

    > I'd
    > >> >> like to be able to detect that they're trying to
    > >> >> circumvent the form and redirect them to the

    > appropriate
    > >> >> page using Response.Redirect().
    > >> >>
    > >> >> What's the best way to tell whether a page is coming

    > as
    > >> >> the result of a POST operation?
    > >> >
    > >> >
    > >> >.
    > >> >

    > >
    > >
    > >.
    > >
     
    Ray at, Jul 7, 2003
    #7
  8. MDW

    Evertjan. Guest

    MDW wrote on 07 jul 2003 in microsoft.public.inetserver.asp.general:

    > Hmmmm....
    >
    > What about something like this:
    >
    > strID = Request.Form
    > ("ImportantValueWithoutWhichPageWouldntWork")
    >
    > If strID = "" Then
    >
    > Response.Redirect("useTheFormYouDope.asp")
    >
    > End If
    >


    I would add a test of Request.ServerVariables("HTTP_REFERER") [yes, I know
    this sometimes fails] to acertain that the posting page was mine.

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Jul 7, 2003
    #8
  9. MDW

    Mosley Guest

    "MDW" <> wrote in message
    news:01d701c3449f$a9fd3b60$...
    > Yeah, I could do that. But in all honesty.... *L* If
    > someone is trying to fool my site like that, they must be
    > REALLY bored.



    why dont you use rays idea
    Request.ServerVariables("REQUEST_METHOD")

    With
    Request.ServerVariables("HTTP_REFERER")
    as well

    that will tell you the method used and what page it came from


    >
    > Thx for the ideas. I'll play around, probably do some
    > combination of them. Just trying to idiot-proof my site.
    >
    >
    > >-----Original Message-----
    > >That would work, but, I could put <input
    > >value="ImportantValueWithoutWhichPageWouldntWork"> in my

    > form as well. Have
    > >you seen those "validation ticket" things on websites

    > where you have to
    > >enter a string of characters into a textbox on the form

    > from reading an
    > >image that contains the string of characters? IE, go to

    > www.godaddy.com,
    > >look up a domain that is taken, and then do a whois. You

    > have to enter a
    > >ticket number. I think you'd have to do something like

    > that to be 100% sure
    > >that the person is submitting from your form.
    > >
    > >You could also use cookies or sessions to be 99% sure.
    > >
    > >Also, you could write a cookie on the page with your form

    > that is a random
    > >string and another one with an ID and also store that

    > value in a DB,
    > >temporarily. Then, when the form is sumitted, you could

    > look up the cookie
    > >ID in the database and see if the random string matches

    > from the DB and the
    > >other cookie that the client sent.
    > >
    > >Ray at work
    > >
    > >"MDW" <> wrote in message
    > >news:0af401c3449a$d45b4730$...
    > >> Hmmmm....
    > >>
    > >> What about something like this:
    > >>
    > >> strID = Request.Form
    > >> ("ImportantValueWithoutWhichPageWouldntWork")
    > >>
    > >> If strID = "" Then
    > >>
    > >> Response.Redirect("useTheFormYouDope.asp")
    > >>
    > >> End If
    > >>
    > >>
    > >>
    > >> >-----Original Message-----
    > >> >Request.ServerVariables("REQUEST_METHOD") will tell you
    > >> if it was posted or
    > >> >getted (?). But, I can make

    > C:\PathOnMyComputer\page.htm
    > >> with:
    > >> >
    > >> ><form method="post"
    > >> action="http://www.yoursite.com/yourpage.asp"> and post
    > >> >to it.
    > >> >
    > >> >Ray at work
    > >> >
    > >> >"MDW" <> wrote in message
    > >> >news:776801c34499$33c80f20$...
    > >> >> Say I've got a page - myPage.asp - that expects to

    > see
    > >> the
    > >> >> results of a form's POST operation. If it comes from

    > the
    > >> >> form, all is fine.
    > >> >>
    > >> >> However, if someone were to manually type the

    > address in
    > >> >> the address bar - http://www.mysite.com/myPage.asp -

    > I'd
    > >> >> like to be able to detect that they're trying to
    > >> >> circumvent the form and redirect them to the

    > appropriate
    > >> >> page using Response.Redirect().
    > >> >>
    > >> >> What's the best way to tell whether a page is coming

    > as
    > >> >> the result of a POST operation?
    > >> >
    > >> >
    > >> >.
    > >> >

    > >
    > >
    > >.
    > >
     
    Mosley, Jul 7, 2003
    #9
  10. "Randy R" wrote:
    >>
    >> What's the best way to tell whether a page is coming as
    >> the result of a POST operation?

    >
    > What about setting a session variable on the page where the
    > form is and checking if that session variable is valid on
    > the next page. If it's not, then you can redirect them back
    > to the form.


    This only tests whether there is a valid session, not whether the form
    submission originated from one of his pages. Certainly a user could have a
    valid session, yet still submit a request from a self-created form.

    The short answer to the original question is that there is little you can
    ever safely assume about the content of the request. Your application design
    should reflect this.

    Evaluate the request in its entirety, always assuming the user constructed
    the request himself. Most of the things you can do take little more than
    common sense: Ask yourself which items could be spoofed and with what
    likelihood (session cookies are more difficult to guess/spoof than form
    name-value pairs, for example). Make sure REMOTE_HOST hasn't changed since
    the session was generated. Use SSL where security is *really* needed.


    --
    Dave Anderson

    Unsolicited commercial email will be read at a cost of $500 per message. Use
    of this email address implies consent to these terms. Please do not contact
    me directly or ask me to contact you directly for assistance. If your
    question is worth asking, it's worth posting.
     
    Dave Anderson, Jul 7, 2003
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Simon Harvey
    Replies:
    2
    Views:
    390
    Simon Harvey
    Apr 29, 2004
  2. TNG
    Replies:
    2
    Views:
    2,354
  3. Don Glover the younger

    ASP, FORMS, POST METHOD And Post with out form(???)

    Don Glover the younger, Jul 13, 2003, in forum: ASP General
    Replies:
    0
    Views:
    482
    Don Glover the younger
    Jul 13, 2003
  4. J. Muenchbourg
    Replies:
    0
    Views:
    376
    J. Muenchbourg
    Aug 6, 2003
  5. Adam
    Replies:
    8
    Views:
    431
Loading...

Share This Page