Prevent posting

TheMSsForum.com: The Microsoft Software Forum

How can I prevent posting of a form from any other site but the site the
form lives on?
Top

Re: Prevent posting by James

James
Thu Oct 07 15:42:06 CDT 2004

Might want to look into:

Request.ServerVariables("HTTP_REFERER")

"Just1Coder" <just1coder@yahoo.ca> wrote in message
news:OPP5MTKrEHA.592@TK2MSFTNGP11.phx.gbl...
> How can I prevent posting of a form from any other site but the site the
> form lives on?


Top

Re: Prevent posting by David

David
Thu Oct 07 15:44:57 CDT 2004

Set a cookie when the form loads and then check it's value when you submit.

Generate an encrypted number when you display the form, de-crypt it when you
save it and check it's correct.



"Just1Coder" <just1coder@yahoo.ca> wrote in message
news:OPP5MTKrEHA.592@TK2MSFTNGP11.phx.gbl...
> How can I prevent posting of a form from any other site but the site the
> form lives on?


Top

Re: Prevent posting by Just1Coder

Just1Coder
Thu Oct 07 15:49:33 CDT 2004

James wrote:
> Might want to look into:
>
> Request.ServerVariables("HTTP_REFERER")
>
> "Just1Coder" <just1coder@yahoo.ca> wrote in message
> news:OPP5MTKrEHA.592@TK2MSFTNGP11.phx.gbl...
>
>>How can I prevent posting of a form from any other site but the site the
>>form lives on?
>
>
>
Yeah... that's what I was thinking...

Currently the form posts to itself...

On one of the first lines I do a check to see if http_referer = ""

Is that enough?
Top

Re: Prevent posting by David

David
Thu Oct 07 16:37:40 CDT 2004

No, you cannot rely on the referrer any more as some anti-virus/firewall
software stops the browser from sending that information.

You would check to see that the

Request.ServerVariables("HTTP_REFERER") =
"http://www.YourDomain.com/YourFormPage.asp"

You need to set some random value in the form and then check it's there and
valid when you process it. You could do it with a database and the visitors
IP address but it's a bit like overkill.

Regards

David

"Just1Coder" <just1coder@yahoo.ca> wrote in message
news:4165ABDD.3050306@yahoo.ca...
> James wrote:
> > Might want to look into:
> >
> > Request.ServerVariables("HTTP_REFERER")
> >
> > "Just1Coder" <just1coder@yahoo.ca> wrote in message
> > news:OPP5MTKrEHA.592@TK2MSFTNGP11.phx.gbl...
> >
> >>How can I prevent posting of a form from any other site but the site the
> >>form lives on?
> >
> >
> >
> Yeah... that's what I was thinking...
>
> Currently the form posts to itself...
>
> On one of the first lines I do a check to see if http_referer = ""
>
> Is that enough?


Top

Re: Prevent posting by Just1Coder

Just1Coder
Fri Oct 08 08:41:35 CDT 2004

Could you post an example? Or a link?

David Morgan wrote:
> No, you cannot rely on the referrer any more as some anti-virus/firewall
> software stops the browser from sending that information.
>
> You would check to see that the
>
> Request.ServerVariables("HTTP_REFERER") =
> "http://www.YourDomain.com/YourFormPage.asp"
>
> You need to set some random value in the form and then check it's there and
> valid when you process it. You could do it with a database and the visitors
> IP address but it's a bit like overkill.
>
> Regards
>
> David
>
> "Just1Coder" <just1coder@yahoo.ca> wrote in message
> news:4165ABDD.3050306@yahoo.ca...
>
>>James wrote:
>>
>>>Might want to look into:
>>>
>>> Request.ServerVariables("HTTP_REFERER")
>>>
>>>"Just1Coder" <just1coder@yahoo.ca> wrote in message
>>>news:OPP5MTKrEHA.592@TK2MSFTNGP11.phx.gbl...
>>>
>>>
>>>>How can I prevent posting of a form from any other site but the site the
>>>>form lives on?
>>>
>>>
>>>
>>Yeah... that's what I was thinking...
>>
>>Currently the form posts to itself...
>>
>>On one of the first lines I do a check to see if http_referer = ""
>>
>>Is that enough?
>
>
>
Top

Re: Prevent posting by David

David
Fri Oct 08 08:59:33 CDT 2004

Hi

Sorry, I just don't have the time, but something like this could be enough
...

Create a PIN.

iPIN = Year(Date) + Month(Date) + Day(Date)


<form .... >
<input type="hidden" name="intPIN" value="<%=iPIN%>"
...
</form>

Form is submitted

iPIN = Year(Date) + Month(Date) + Day(Date)

If iPIN <> CLng(Request.Form("intPIN")) Then
' Not submitted from form
End If

Obviously this would allow any referrer who copied the form 'today' and
also, those who display the form before midnight and post it afterward will
have a problem, but you get the idea.


"Just1Coder" <just1coder@yahoo.ca> wrote in message
news:uozfFyTrEHA.2184@TK2MSFTNGP10.phx.gbl...
> Could you post an example? Or a link?
>
> David Morgan wrote:
> > No, you cannot rely on the referrer any more as some anti-virus/firewall
> > software stops the browser from sending that information.
> >
> > You would check to see that the
> >
> > Request.ServerVariables("HTTP_REFERER") =
> > "http://www.YourDomain.com/YourFormPage.asp"
> >
> > You need to set some random value in the form and then check it's there
and
> > valid when you process it. You could do it with a database and the
visitors
> > IP address but it's a bit like overkill.
> >
> > Regards
> >
> > David
> >
> > "Just1Coder" <just1coder@yahoo.ca> wrote in message
> > news:4165ABDD.3050306@yahoo.ca...
> >
> >>James wrote:
> >>
> >>>Might want to look into:
> >>>
> >>> Request.ServerVariables("HTTP_REFERER")
> >>>
> >>>"Just1Coder" <just1coder@yahoo.ca> wrote in message
> >>>news:OPP5MTKrEHA.592@TK2MSFTNGP11.phx.gbl...
> >>>
> >>>
> >>>>How can I prevent posting of a form from any other site but the site
the
> >>>>form lives on?
> >>>
> >>>
> >>>
> >>Yeah... that's what I was thinking...
> >>
> >>Currently the form posts to itself...
> >>
> >>On one of the first lines I do a check to see if http_referer = ""
> >>
> >>Is that enough?
> >
> >
> >


Top

Re: Prevent posting by Just1Coder

Just1Coder
Fri Oct 08 09:04:16 CDT 2004

Ah, I see.

So a random number or GUID or something like that should work OK?

David Morgan wrote:
> Hi
>
> Sorry, I just don't have the time, but something like this could be enough
> ...
>
> Create a PIN.
>
> iPIN = Year(Date) + Month(Date) + Day(Date)
>
>
> <form .... >
> <input type="hidden" name="intPIN" value="<%=iPIN%>"
> ...
> </form>
>
> Form is submitted
>
> iPIN = Year(Date) + Month(Date) + Day(Date)
>
> If iPIN <> CLng(Request.Form("intPIN")) Then
> ' Not submitted from form
> End If
>
> Obviously this would allow any referrer who copied the form 'today' and
> also, those who display the form before midnight and post it afterward will
> have a problem, but you get the idea.
>
>
> "Just1Coder" <just1coder@yahoo.ca> wrote in message
> news:uozfFyTrEHA.2184@TK2MSFTNGP10.phx.gbl...
>
>>Could you post an example? Or a link?
>>
>>David Morgan wrote:
>>
>>>No, you cannot rely on the referrer any more as some anti-virus/firewall
>>>software stops the browser from sending that information.
>>>
>>>You would check to see that the
>>>
>>>Request.ServerVariables("HTTP_REFERER") =
>>>"http://www.YourDomain.com/YourFormPage.asp"
>>>
>>>You need to set some random value in the form and then check it's there
>
> and
>
>>>valid when you process it. You could do it with a database and the
>
> visitors
>
>>>IP address but it's a bit like overkill.
>>>
>>>Regards
>>>
>>>David
>>>
>>>"Just1Coder" <just1coder@yahoo.ca> wrote in message
>>>news:4165ABDD.3050306@yahoo.ca...
>>>
>>>
>>>>James wrote:
>>>>
>>>>
>>>>>Might want to look into:
>>>>>
>>>>>Request.ServerVariables("HTTP_REFERER")
>>>>>
>>>>>"Just1Coder" <just1coder@yahoo.ca> wrote in message
>>>>>news:OPP5MTKrEHA.592@TK2MSFTNGP11.phx.gbl...
>>>>>
>>>>>
>>>>>
>>>>>>How can I prevent posting of a form from any other site but the site
>
> the
>
>>>>>>form lives on?
>>>>>
>>>>>
>>>>>
>>>>Yeah... that's what I was thinking...
>>>>
>>>>Currently the form posts to itself...
>>>>
>>>>On one of the first lines I do a check to see if http_referer = ""
>>>>
>>>>Is that enough?
>>>
>>>
>>>
>
>
Top

Re: Prevent posting by larrybud2002

larrybud2002
Fri Oct 08 09:45:46 CDT 2004

Just1Coder <just1coder@yahoo.ca> wrote in message news:<OPP5MTKrEHA.592@TK2MSFTNGP11.phx.gbl>...
> How can I prevent posting of a form from any other site but the site the
> form lives on?

Set a session variable when the form loads, then make sure the session
var exists when processing the form.
Top

Re: Prevent posting by Dave

Dave
Fri Oct 08 11:02:17 CDT 2004

Just1Coder wrote:
> How can I prevent posting of a form from any other site but the site
> the form lives on?

Why bother?

It sounds like you are attempting to put some of your security on the client
side. This is trivial to defeat. Heck - with the FireFox LiveHTTPHeaders
extension, I can change anything at all in a request and re-send. Anything.



--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.


Top

Re: Prevent posting by Just1Coder

Just1Coder
Fri Oct 08 11:15:49 CDT 2004

Dave Anderson wrote:
> Just1Coder wrote:
>
>>How can I prevent posting of a form from any other site but the site
>>the form lives on?
>
>
> Why bother?
>
> It sounds like you are attempting to put some of your security on the client
> side. This is trivial to defeat. Heck - with the FireFox LiveHTTPHeaders
> extension, I can change anything at all in a request and re-send. Anything.
>
>
>
Yes, I know but there are several ways around it, but I have been asked to.

Didn't know about that LiveHTTPHeaders extension though, very cool.
Top

Re: Prevent posting by Egbert

Egbert
Sun Oct 10 05:32:32 CDT 2004

"Just1Coder" <just1coder@yahoo.ca> wrote in message
news:u0zTv%23TrEHA.3848@TK2MSFTNGP14.phx.gbl...
> Ah, I see.
>
> So a random number or GUID or something like that should work OK?

Yes, put that random in the session state and check it after a post.


Top