The HTTP Referer header can be spoofed quite easily. And if it's spammers
you're worried about, they would definitely have the capabilities to spoof
the header.
Try to find a mechanism that doesn't rely on user provided data or, that
requires multiple steps. For example, if you're concerned about people
auto-submitting to your action page without coming through your form page,
build in a check that verifies they visited the form page such as those
systems that ask you to type in the string shown in the associated image.
--
Mosh Teitelbaum
evoch, LLC
Tel: (301) 942-5378
Fax: (301) 933-3651
Email: [EMAIL PROTECTED]
WWW: http://www.evoch.com/
-----Original Message-----
From: Stan Winchester [mailto:[EMAIL PROTECTED]
Sent: Friday, February 27, 2004 3:09 PM
To: CF-Talk
Subject: Protect action pages
I want to protect action pages from unauthorized forms that are not on the
same server, namely spammers. I wrote this simple script that will work in
conjunction with my other form validation scripts to ensure a referrer comes
from the same CGI.HTTP_HOST.
<cftry>
<cfscript>
message = "";
errors = 0;
if ( NOT FindNoCase(CGI.HTTP_HOST,CGI.HTTP_REFERER) ) {
message = "You cannot access this page";
errors = 1;
}
</cfscript>
<cfif errors EQ 1 >
<cfthrow message="#message#" type="goBack">
</cfif>
<cfcatch type="Any">
<cfoutput>
<h3>#message#</h3>
</cfoutput>
</cfcatch>
</cftry>
Does anyone see any holes that I should address, or is there a better
solution?
Thank you,
Aftershock Web Design, Inc.
by: Stan Winchester
President/Developer
[EMAIL PROTECTED]
http://www.aftershockweb.com/
Tel. 503-244-3440
Fax 503-244-3454
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
