But the only thing I have to do to get around that is to hit the "live" form, do a View source, get the hidden values and update my local form with those hidden value(s).
On 5/9/07, Ken Wexel <[EMAIL PROTECTED]> wrote: > When I ran into this problem previously, I'd set a value into the user > session and set the same value as a hidden form field. On post, if > the two didn't match, I knew the posting was invalid. Can be > something as simple as a long numeric value.. > > On 5/8/07, Eric J. Hoffman <[EMAIL PROTECTED]> wrote: > > That's where I started....but the thing is, I think they can spoof that > > variable? Or not? > > > > > > -----Original Message----- > > > > From: AJ Mercer [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, May 08, 2007 9:53 PM > > To: CF-Talk > > Subject: Re: defeating offline form posts > > > > Have a look at the CGI variables > > in particular CGI.HTTP_REFERER > > This is the page before the current one - it should have your server > > details > > in there, other wise discard. > > > > > > On 5/9/07, Eric J. Hoffman <[EMAIL PROTECTED]> wrote: > > > > > > Curious question here. If I think about this, if someone takes a > > form > > > of ours for login, for example, and makes a local copy on their > > > machine....and they set the post action to be the live server > > > authenticate file....what is the best way to detect this and defeat > > it? > > > Noone has ever gained access this way as of yet, but we are studying > > > possibilities, and this seems to me to be an attack vector. > > > > > > > > > > > > Any thoughts? A check to see if the referrer was the domain > > > name/login file name? Or can that be spoofed as well then? > > > > > > > > > > > > Thanks~! > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion MX7 and Flex 2 Build sales & marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277376 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
