Explain to me what you think you're actually protecting against? If you've
been moderately careful, someone using an "unauthorized" form (or no form at
all) can do nothing more than someone using a "authorized" form.
The things you have to avoid are things like relying upon client-side data
validation and/or security. Also, you generally want to be very careful when
using an action page for multiple applications requiring different security
levels - for instance, using an action page for both unauthenticated public
use and for an admin interface that gives the user data deletion abilities.
If your application requires user authentication make sure you authenticate
on every page, including form action pages.
----- Original Message -----
From: "Stan Winchester" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Friday, February 27, 2004 1:09 PM
Subject: Protect action pages
> I want to protect action pages from unauthorized forms that are not on the
> same server, namely spammers. I wrote this simple script that will work in
> conjunction with my other form validation scripts to ensure a referrer
comes
> from the same CGI.HTTP_HOST.
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
- Protect action pages Stan Winchester
- RE: Protect action pages Mosh Teitelbaum
- Re: Protect action pages brobborb
- RE: Protect action pages Kwang Suh
- Re: Protect action pages Jim McAtee
- Re: Protect action pages Nick Han
- RE: Protect action pages Dave Watts
- Re: Protect action pages Stan Winchester
- Re: Protect action pages Steve Nelson
- Re: Protect action pages Dick Applebaum
- RE: Protect action pages Dave Watts
- RE: Protect action pages Douglas.Knudsen
- Re: Protect action pages brobborb
- RE: Protect action pages Ian Skinner