This random number, because it is being sent to the user is just as easy to forge as the rest of the fields on the form. The only thing you can do is check the refferer on the submitted page, but alas even this can be forged with enough technohow. Good luck!
James -----Original Message----- From: Cal Evans [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 30, 2002 4:05 PM To: Warrick Wilson; [EMAIL PROTECTED] Subject: RE: [PHP] Is it possible to verify that a form submision is not being "spoofed"? Generate a random number when creating a form, store it in the session and in a hidden on the form. Then when the post comes back, make sure the hidden is there and that it matches the one in the session. Cal * * Cal Evans * Journeyman Programmer * Techno-Mage * http://www.calevans.com * -----Original Message----- From: Warrick Wilson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 30, 2002 2:52 PM To: [EMAIL PROTECTED] Subject: [PHP] Is it possible to verify that a form submision is not being "spoofed"? I'm having a hard time explaining what I'm trying to do, which is why I'm having a hard time finding anything online/in manuals... My site serves a form for the user to fill in. User has been authenticated with a login and we're using PHP 4 sessions. When using Internet Explorer, the user can hit Ctrl-N and get a new window, but his session for that new window is still valid. He could then load up a local page and submit it to the target of my original form. Is there some way of detecting that the submission came from a page that hadn't been served up by my application, but was instead sent in from some other "foreign" form? Or maybe the question is - how can I kill off sessions if the user navigates away from the page that I sent him originally? Warrick Wilson mailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
