Prevent posting

Discussion in 'ASP General' started by Just1Coder, Oct 7, 2004.

  1. Just1Coder

    Just1Coder Guest

    How can I prevent posting of a form from any other site but the site the
    form lives on?
     
    Just1Coder, Oct 7, 2004
    #1
    1. Advertising

  2. Just1Coder

    James Guest

    Might want to look into:

    Request.ServerVariables("HTTP_REFERER")

    "Just1Coder" <> wrote in message
    news:...
    > How can I prevent posting of a form from any other site but the site the
    > form lives on?
     
    James, Oct 7, 2004
    #2
    1. Advertising

  3. Just1Coder

    David Morgan Guest

    Set a cookie when the form loads and then check it's value when you submit.

    Generate an encrypted number when you display the form, de-crypt it when you
    save it and check it's correct.



    "Just1Coder" <> wrote in message
    news:...
    > How can I prevent posting of a form from any other site but the site the
    > form lives on?
     
    David Morgan, Oct 7, 2004
    #3
  4. Just1Coder

    Just1Coder Guest

    James wrote:
    > Might want to look into:
    >
    > Request.ServerVariables("HTTP_REFERER")
    >
    > "Just1Coder" <> wrote in message
    > news:...
    >
    >>How can I prevent posting of a form from any other site but the site the
    >>form lives on?

    >
    >
    >

    Yeah... that's what I was thinking...

    Currently the form posts to itself...

    On one of the first lines I do a check to see if http_referer = ""

    Is that enough?
     
    Just1Coder, Oct 7, 2004
    #4
  5. Just1Coder

    David Morgan Guest

    No, you cannot rely on the referrer any more as some anti-virus/firewall
    software stops the browser from sending that information.

    You would check to see that the

    Request.ServerVariables("HTTP_REFERER") =
    "http://www.YourDomain.com/YourFormPage.asp"

    You need to set some random value in the form and then check it's there and
    valid when you process it. You could do it with a database and the visitors
    IP address but it's a bit like overkill.

    Regards

    David

    "Just1Coder" <> wrote in message
    news:...
    > James wrote:
    > > Might want to look into:
    > >
    > > Request.ServerVariables("HTTP_REFERER")
    > >
    > > "Just1Coder" <> wrote in message
    > > news:...
    > >
    > >>How can I prevent posting of a form from any other site but the site the
    > >>form lives on?

    > >
    > >
    > >

    > Yeah... that's what I was thinking...
    >
    > Currently the form posts to itself...
    >
    > On one of the first lines I do a check to see if http_referer = ""
    >
    > Is that enough?
     
    David Morgan, Oct 7, 2004
    #5
  6. Just1Coder

    Just1Coder Guest

    Could you post an example? Or a link?

    David Morgan wrote:
    > No, you cannot rely on the referrer any more as some anti-virus/firewall
    > software stops the browser from sending that information.
    >
    > You would check to see that the
    >
    > Request.ServerVariables("HTTP_REFERER") =
    > "http://www.YourDomain.com/YourFormPage.asp"
    >
    > You need to set some random value in the form and then check it's there and
    > valid when you process it. You could do it with a database and the visitors
    > IP address but it's a bit like overkill.
    >
    > Regards
    >
    > David
    >
    > "Just1Coder" <> wrote in message
    > news:...
    >
    >>James wrote:
    >>
    >>>Might want to look into:
    >>>
    >>> Request.ServerVariables("HTTP_REFERER")
    >>>
    >>>"Just1Coder" <> wrote in message
    >>>news:...
    >>>
    >>>
    >>>>How can I prevent posting of a form from any other site but the site the
    >>>>form lives on?
    >>>
    >>>
    >>>

    >>Yeah... that's what I was thinking...
    >>
    >>Currently the form posts to itself...
    >>
    >>On one of the first lines I do a check to see if http_referer = ""
    >>
    >>Is that enough?

    >
    >
    >
     
    Just1Coder, Oct 8, 2004
    #6
  7. Just1Coder

    David Morgan Guest

    Hi

    Sorry, I just don't have the time, but something like this could be enough
    ....

    Create a PIN.

    iPIN = Year(Date) + Month(Date) + Day(Date)


    <form .... >
    <input type="hidden" name="intPIN" value="<%=iPIN%>"
    ....
    </form>

    Form is submitted

    iPIN = Year(Date) + Month(Date) + Day(Date)

    If iPIN <> CLng(Request.Form("intPIN")) Then
    ' Not submitted from form
    End If

    Obviously this would allow any referrer who copied the form 'today' and
    also, those who display the form before midnight and post it afterward will
    have a problem, but you get the idea.


    "Just1Coder" <> wrote in message
    news:...
    > Could you post an example? Or a link?
    >
    > David Morgan wrote:
    > > No, you cannot rely on the referrer any more as some anti-virus/firewall
    > > software stops the browser from sending that information.
    > >
    > > You would check to see that the
    > >
    > > Request.ServerVariables("HTTP_REFERER") =
    > > "http://www.YourDomain.com/YourFormPage.asp"
    > >
    > > You need to set some random value in the form and then check it's there

    and
    > > valid when you process it. You could do it with a database and the

    visitors
    > > IP address but it's a bit like overkill.
    > >
    > > Regards
    > >
    > > David
    > >
    > > "Just1Coder" <> wrote in message
    > > news:...
    > >
    > >>James wrote:
    > >>
    > >>>Might want to look into:
    > >>>
    > >>> Request.ServerVariables("HTTP_REFERER")
    > >>>
    > >>>"Just1Coder" <> wrote in message
    > >>>news:...
    > >>>
    > >>>
    > >>>>How can I prevent posting of a form from any other site but the site

    the
    > >>>>form lives on?
    > >>>
    > >>>
    > >>>
    > >>Yeah... that's what I was thinking...
    > >>
    > >>Currently the form posts to itself...
    > >>
    > >>On one of the first lines I do a check to see if http_referer = ""
    > >>
    > >>Is that enough?

    > >
    > >
    > >
     
    David Morgan, Oct 8, 2004
    #7
  8. Just1Coder

    Just1Coder Guest

    Ah, I see.

    So a random number or GUID or something like that should work OK?

    David Morgan wrote:
    > Hi
    >
    > Sorry, I just don't have the time, but something like this could be enough
    > ...
    >
    > Create a PIN.
    >
    > iPIN = Year(Date) + Month(Date) + Day(Date)
    >
    >
    > <form .... >
    > <input type="hidden" name="intPIN" value="<%=iPIN%>"
    > ...
    > </form>
    >
    > Form is submitted
    >
    > iPIN = Year(Date) + Month(Date) + Day(Date)
    >
    > If iPIN <> CLng(Request.Form("intPIN")) Then
    > ' Not submitted from form
    > End If
    >
    > Obviously this would allow any referrer who copied the form 'today' and
    > also, those who display the form before midnight and post it afterward will
    > have a problem, but you get the idea.
    >
    >
    > "Just1Coder" <> wrote in message
    > news:...
    >
    >>Could you post an example? Or a link?
    >>
    >>David Morgan wrote:
    >>
    >>>No, you cannot rely on the referrer any more as some anti-virus/firewall
    >>>software stops the browser from sending that information.
    >>>
    >>>You would check to see that the
    >>>
    >>>Request.ServerVariables("HTTP_REFERER") =
    >>>"http://www.YourDomain.com/YourFormPage.asp"
    >>>
    >>>You need to set some random value in the form and then check it's there

    >
    > and
    >
    >>>valid when you process it. You could do it with a database and the

    >
    > visitors
    >
    >>>IP address but it's a bit like overkill.
    >>>
    >>>Regards
    >>>
    >>>David
    >>>
    >>>"Just1Coder" <> wrote in message
    >>>news:...
    >>>
    >>>
    >>>>James wrote:
    >>>>
    >>>>
    >>>>>Might want to look into:
    >>>>>
    >>>>>Request.ServerVariables("HTTP_REFERER")
    >>>>>
    >>>>>"Just1Coder" <> wrote in message
    >>>>>news:...
    >>>>>
    >>>>>
    >>>>>
    >>>>>>How can I prevent posting of a form from any other site but the site

    >
    > the
    >
    >>>>>>form lives on?
    >>>>>
    >>>>>
    >>>>>
    >>>>Yeah... that's what I was thinking...
    >>>>
    >>>>Currently the form posts to itself...
    >>>>
    >>>>On one of the first lines I do a check to see if http_referer = ""
    >>>>
    >>>>Is that enough?
    >>>
    >>>
    >>>

    >
    >
     
    Just1Coder, Oct 8, 2004
    #8
  9. Just1Coder

    Larry Bud Guest

    Just1Coder <> wrote in message news:<>...
    > How can I prevent posting of a form from any other site but the site the
    > form lives on?


    Set a session variable when the form loads, then make sure the session
    var exists when processing the form.
     
    Larry Bud, Oct 8, 2004
    #9
  10. Just1Coder wrote:
    > How can I prevent posting of a form from any other site but the site
    > the form lives on?


    Why bother?

    It sounds like you are attempting to put some of your security on the client
    side. This is trivial to defeat. Heck - with the FireFox LiveHTTPHeaders
    extension, I can change anything at all in a request and re-send. Anything.



    --
    Dave Anderson

    Unsolicited commercial email will be read at a cost of $500 per message. Use
    of this email address implies consent to these terms. Please do not contact
    me directly or ask me to contact you directly for assistance. If your
    question is worth asking, it's worth posting.
     
    Dave Anderson, Oct 8, 2004
    #10
  11. Just1Coder

    Just1Coder Guest

    Dave Anderson wrote:
    > Just1Coder wrote:
    >
    >>How can I prevent posting of a form from any other site but the site
    >>the form lives on?

    >
    >
    > Why bother?
    >
    > It sounds like you are attempting to put some of your security on the client
    > side. This is trivial to defeat. Heck - with the FireFox LiveHTTPHeaders
    > extension, I can change anything at all in a request and re-send. Anything.
    >
    >
    >

    Yes, I know but there are several ways around it, but I have been asked to.

    Didn't know about that LiveHTTPHeaders extension though, very cool.
     
    Just1Coder, Oct 8, 2004
    #11
  12. "Just1Coder" <> wrote in message
    news:u0zTv%...
    > Ah, I see.
    >
    > So a random number or GUID or something like that should work OK?


    Yes, put that random in the session state and check it after a post.
     
    Egbert Nierop \(MVP for IIS\), Oct 10, 2004
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. marcia

    Prevent Web Form from posting back

    marcia, Aug 18, 2003, in forum: ASP .Net
    Replies:
    4
    Views:
    2,984
    George Ter-Saakov
    Aug 19, 2003
  2. alanb
    Replies:
    2
    Views:
    537
    alanb
    Apr 23, 2004
  3. D. Shane Fowlkes
    Replies:
    3
    Views:
    819
    =?Utf-8?B?QnJhZCBRdWlubg==?=
    Mar 10, 2005
  4. bill
    Replies:
    11
    Views:
    732
    addup
    Jul 21, 2006
  5. AmitKu
    Replies:
    7
    Views:
    517
    John Timney \(MVP\)
    Jan 8, 2007
Loading...

Share This Page