Glogger Steven wrote:
Well, IMHO this is no better than my solution using JS What
do you do if someone has cookies disabled?
I for my part often reject cookies 'just because' when I dont
feel they're really needed...
java script is client side.
it only prevents that a form can be submittet.
what if you circumvent that and post directly?
as we know, simulating a post ist quite easy:
telnet to host port 80:
"POST /superposter/gna.php HTTP/1.1\r\n
Host: www.blabla.ch \r\n
User-Agent: whatever you want\r\n
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;q=0.8,image/png,*/*;q=0.5\r\n
Accept-Encoding: gzip,deflate\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
Keep-Alive: 300\r\n
Connection: keep-alive\r\n
Referer: www.blabla.ch/urli/index.php
Cookie: PHPSESSID-1111111\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 100\n
\r\n
action=login&nick=username&password=password&submit=LOGIN
\r\n"
if you get that you cannot check if he used your javascript or not ,-)
he might check your session-id, but what if the client gets a session id
and uses that one to fill in the form.
that soo easy :-) (i'm using such a tool as a proxy for an online game
since about 5 years ,-))
you still didn't get the point
Look at my post from 15.08.2006 18:59
I dont prevent a user from sending the form - I know this is pointless
But rather I use JS to write some (optionally dynamic) value into the
form before sending. If that value isn't present in the POST request the
formmailer script refuses to send the mail. This effictively defeats any
non-JS-aware machine including spammers, robots and lynx.
Like i said earlier this can be combined with dynamic data close to what
Markus Wild also said for example by using some varying string
containing a timestamp or something like that.
This is a step more effective than Markus' idea with the session as it
not only requires to gather a very up2date version of the form but
additionally the execution of JS
You could write a function which calculates the value so you can't just
easily copypaste it out and so on......
The forms I'm using this on have not ever been abused anymore since the
introduction of the JS-Check since it would really require massive user
interaction
Matt
_______________________________________________
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
