> you may want to check the "referring page" on the page > catching the form. to make sure it is coming from where > you expect it to.
This isn't especially effective, as the browser provides this information - and it's just as easy to change as any other information from the browser. > ..or you could serialize your form when it is presented - > created an encrypted and/or encoded ticket which contains > information like: client IP address, date time. maybe even > reference a value you create store in a DB waiting for the > form to be posted (eliminating the potential for using 1 > form to post multiple times - ie you need to generate > the form before it posted - and can only be posted once.). > > when the form gets posted - you decode the ticket to validate > the submission. > > (Making this up as I go along) Instead of making it up as you go along (generally not a good security practice, if for no other reason than you might forget what you've done later), you might be better served by following the existing body of best practices in CGI application design and data validation. Boiled down to one sentence, they could be summarized as "don't trust data from the browser, only accept the data that can legitimately be provided by the user, and make sure that the data falls within acceptable boundaries." Following your above example, what's to stop someone from simply recording the HTTP request, modifying the things that they want to change (which wouldn't affect the ticket containing client IP address or date/time) and sending the modified HTTP request? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
