Hi,
How about the following:
1. Assign a session id to the form every time you generate it.
2. Maintain that session id on the server side in a sort of cache for a
specific amount of time (say, T) only. Time-out and delete session id
entries that haven't been used within time period T.
3. Have the form page refresh itself every T minutes/seconds etc. (for the
convenience[1] of a genuine user).
4. Ensure that a form with a particular session id can be submitted only
once.
1. Deleting the session id from the session id cache the first time a
form is submitted should ensure this. This would lead to the concept
of "using up" or "consuming" a session id.
5. Don't process any form that doesn't have a corresponding valid session id
stored in the session id cache.
While the approach I have outlined above will be susceptible to eavesdropping
(session ids can be sniffed out), that can easily be taken care of by sending
out the form over an HTTPS session.
Of course, if the attacker sets up a robot to request forms from the actual
server and then keeps on submitting spurious data, you're in trouble. There's
very little that can be done against an attack of this sort. You could perhaps
try to keep track of the time difference between the serving of the form and
its submission. This too, is open to subversion.
Please do point out any loopholes you find in the approach mentioned above.
------------------------
[1]
If a "genuine" user stops to do something else after partially
filling out the form, then this setup could become a nuisance.
"Boget, Chris" wrote:
> Well, this was part of what I was going to do. I was going to check
> to see if the request method was post and if the referer was from
> our host (not just the form/page). If all that was true, then process
> the form. If not, don't.
> However, I know that the $HTTP_REFERER variable is not at all
> reliable. On that note, what browsers/versions would not send this
> information for Apache/PHP to set? I know it is because of the browser
> that the client is using that this variable is unreliable. But what those
> browsers/versions are, I don't know and am hoping someone can
> answer.
>
> Chris
--
Regards,
Harshdeep Singh Jawanda.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Member of Technical Staff, [O]+91-020-5676700 X-474
Persistent Systems Pvt. Ltd., [R]+91-020-5890053
[EMAIL PROTECTED] [EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
