Prevent posting

J

Just1Coder

How can I prevent posting of a form from any other site but the site the
form lives on?
 
D

David Morgan

Set a cookie when the form loads and then check it's value when you submit.

Generate an encrypted number when you display the form, de-crypt it when you
save it and check it's correct.
 
J

Just1Coder

James said:
Might want to look into:

Request.ServerVariables("HTTP_REFERER")
Yeah... that's what I was thinking...

Currently the form posts to itself...

On one of the first lines I do a check to see if http_referer = ""

Is that enough?
 
D

David Morgan

No, you cannot rely on the referrer any more as some anti-virus/firewall
software stops the browser from sending that information.

You would check to see that the

Request.ServerVariables("HTTP_REFERER") =
"http://www.YourDomain.com/YourFormPage.asp"

You need to set some random value in the form and then check it's there and
valid when you process it. You could do it with a database and the visitors
IP address but it's a bit like overkill.

Regards

David
 
J

Just1Coder

Could you post an example? Or a link?

David said:
No, you cannot rely on the referrer any more as some anti-virus/firewall
software stops the browser from sending that information.

You would check to see that the

Request.ServerVariables("HTTP_REFERER") =
"http://www.YourDomain.com/YourFormPage.asp"

You need to set some random value in the form and then check it's there and
valid when you process it. You could do it with a database and the visitors
IP address but it's a bit like overkill.

Regards

David
 
D

David Morgan

Hi

Sorry, I just don't have the time, but something like this could be enough
....

Create a PIN.

iPIN = Year(Date) + Month(Date) + Day(Date)


<form .... >
<input type="hidden" name="intPIN" value="<%=iPIN%>"
....
</form>

Form is submitted

iPIN = Year(Date) + Month(Date) + Day(Date)

If iPIN <> CLng(Request.Form("intPIN")) Then
' Not submitted from form
End If

Obviously this would allow any referrer who copied the form 'today' and
also, those who display the form before midnight and post it afterward will
have a problem, but you get the idea.
 
J

Just1Coder

Ah, I see.

So a random number or GUID or something like that should work OK?
 
L

Larry Bud

Just1Coder said:
How can I prevent posting of a form from any other site but the site the
form lives on?

Set a session variable when the form loads, then make sure the session
var exists when processing the form.
 
D

Dave Anderson

Just1Coder said:
How can I prevent posting of a form from any other site but the site
the form lives on?

Why bother?

It sounds like you are attempting to put some of your security on the client
side. This is trivial to defeat. Heck - with the FireFox LiveHTTPHeaders
extension, I can change anything at all in a request and re-send. Anything.



--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
 
J

Just1Coder

Dave said:
Why bother?

It sounds like you are attempting to put some of your security on the client
side. This is trivial to defeat. Heck - with the FireFox LiveHTTPHeaders
extension, I can change anything at all in a request and re-send. Anything.
Yes, I know but there are several ways around it, but I have been asked to.

Didn't know about that LiveHTTPHeaders extension though, very cool.
 
E

Egbert Nierop \(MVP for IIS\)

Just1Coder said:
Ah, I see.

So a random number or GUID or something like that should work OK?

Yes, put that random in the session state and check it after a post.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,904
Latest member
HealthyVisionsCBDPrice

Latest Threads

Top