Prevent posting

Might want to look into:

Request.ServerVariables("HTTP_REFERER")

"Just1Coder" <ju********@yahoo.ca> wrote in message
news:OP*************@TK2MSFTNGP11.phx.gbl...

How can I prevent posting of a form from any other site but the site the
form lives on?

Set a cookie when the form loads and then check it's value when you submit.

Generate an encrypted number when you display the form, de-crypt it when you
save it and check it's correct.

"Just1Coder" <ju********@yahoo.ca> wrote in message
news:OP*************@TK2MSFTNGP11.phx.gbl...

How can I prevent posting of a form from any other site but the site the
form lives on?

James wrote:

Might want to look into:

Request.ServerVariables("HTTP_REFERER")

"Just1Coder" <ju********@yahoo.ca> wrote in message
news:OP*************@TK2MSFTNGP11.phx.gbl...

How can I prevent posting of a form from any other site but the site the
form lives on?

Yeah... that's what I was thinking...

Currently the form posts to itself...

On one of the first lines I do a check to see if http_referer = ""

Is that enough?

No, you cannot rely on the referrer any more as some anti-virus/firewall
software stops the browser from sending that information.

You would check to see that the

Request.ServerVariables("HTTP_REFERER") =
"http://www.YourDomain.com/YourFormPage.asp"

You need to set some random value in the form and then check it's there and
valid when you process it. You could do it with a database and the visitors
IP address but it's a bit like overkill.

Regards

David

"Just1Coder" <ju********@yahoo.ca> wrote in message
news:41**************@yahoo.ca...

James wrote:

Might want to look into:

Request.ServerVariables("HTTP_REFERER")

"Just1Coder" <ju********@yahoo.ca> wrote in message
news:OP*************@TK2MSFTNGP11.phx.gbl...

How can I prevent posting of a form from any other site but the site the
form lives on?

Yeah... that's what I was thinking...

Currently the form posts to itself...

On one of the first lines I do a check to see if http_referer = ""

Is that enough?

Could you post an example? Or a link?

David Morgan wrote:

No, you cannot rely on the referrer any more as some anti-virus/firewall
software stops the browser from sending that information.

You would check to see that the

Request.ServerVariables("HTTP_REFERER") =
"http://www.YourDomain.com/YourFormPage.asp"

You need to set some random value in the form and then check it's there and
valid when you process it. You could do it with a database and the visitors
IP address but it's a bit like overkill.

Regards

David

"Just1Coder" <ju********@yahoo.ca> wrote in message
news:41**************@yahoo.ca...

James wrote:

Might want to look into:

Request.ServerVariables("HTTP_REFERER")

"Just1Coder" <ju********@yahoo.ca> wrote in message
news:OP*************@TK2MSFTNGP11.phx.gbl...
How can I prevent posting of a form from any other site but the site the
form lives on?

Yeah... that's what I was thinking...

Currently the form posts to itself...

On one of the first lines I do a check to see if http_referer = ""

Is that enough?

Hi

Sorry, I just don't have the time, but something like this could be enough
....

Create a PIN.

iPIN = Year(Date) + Month(Date) + Day(Date)
<form .... >
<input type="hidden" name="intPIN" value="<%=iPIN%>"
....
</form>

Form is submitted

iPIN = Year(Date) + Month(Date) + Day(Date)

If iPIN <> CLng(Request.Form("intPIN")) Then
' Not submitted from form
End If

Obviously this would allow any referrer who copied the form 'today' and
also, those who display the form before midnight and post it afterward will
have a problem, but you get the idea.
"Just1Coder" <ju********@yahoo.ca> wrote in message
news:uo**************@TK2MSFTNGP10.phx.gbl...

Could you post an example? Or a link?

David Morgan wrote:

No, you cannot rely on the referrer any more as some anti-virus/firewall
software stops the browser from sending that information.

You would check to see that the

Request.ServerVariables("HTTP_REFERER") =
"http://www.YourDomain.com/YourFormPage.asp"

You need to set some random value in the form and then check it's there and valid when you process it. You could do it with a database and the visitors IP address but it's a bit like overkill.

Regards

David

"Just1Coder" <ju********@yahoo.ca> wrote in message
news:41**************@yahoo.ca...

James wrote:

Might want to look into:

Request.ServerVariables("HTTP_REFERER")

"Just1Coder" <ju********@yahoo.ca> wrote in message
news:OP*************@TK2MSFTNGP11.phx.gbl...
>How can I prevent posting of a form from any other site but the site the>form lives on?

Yeah... that's what I was thinking...

Currently the form posts to itself...

On one of the first lines I do a check to see if http_referer = ""

Is that enough?

Ah, I see.

So a random number or GUID or something like that should work OK?

David Morgan wrote:

Hi

Sorry, I just don't have the time, but something like this could be enough
...

Create a PIN.

iPIN = Year(Date) + Month(Date) + Day(Date)
<form .... >
<input type="hidden" name="intPIN" value="<%=iPIN%>"
...
</form>

Form is submitted

iPIN = Year(Date) + Month(Date) + Day(Date)

If iPIN <> CLng(Request.Form("intPIN")) Then
' Not submitted from form
End If

Obviously this would allow any referrer who copied the form 'today' and
also, those who display the form before midnight and post it afterward will
have a problem, but you get the idea.
"Just1Coder" <ju********@yahoo.ca> wrote in message
news:uo**************@TK2MSFTNGP10.phx.gbl...

Could you post an example? Or a link?

David Morgan wrote:

No, you cannot rely on the referrer any more as some anti-virus/firewall
software stops the browser from sending that information.

You would check to see that the

Request.ServerVariables("HTTP_REFERER") =
"http://www.YourDomain.com/YourFormPage.asp"

You need to set some random value in the form and then check it's there
and
valid when you process it. You could do it with a database and the
visitors
IP address but it's a bit like overkill.

Regards

David

"Just1Coder" <ju********@yahoo.ca> wrote in message
news:41**************@yahoo.ca...
James wrote:
>Might want to look into:
>
>Request.ServerVariables("HTTP_REFERER")
>
>"Just1Coder" <ju********@yahoo.ca> wrote in message
>news:OP*************@TK2MSFTNGP11.phx.gbl.. .
>
>
>
>>How can I prevent posting of a form from any other site but the site
the
form lives on?
>
>
>
Yeah... that's what I was thinking...

Currently the form posts to itself...

On one of the first lines I do a check to see if http_referer = ""

Is that enough?

Just1Coder <ju********@yahoo.ca> wrote in message news:<OP*************@TK2MSFTNGP11.phx.gbl>...

How can I prevent posting of a form from any other site but the site the
form lives on?

Set a session variable when the form loads, then make sure the session
var exists when processing the form.

Just1Coder wrote:

How can I prevent posting of a form from any other site but the site
the form lives on?

Why bother?

It sounds like you are attempting to put some of your security on the client
side. This is trivial to defeat. Heck - with the FireFox LiveHTTPHeaders
extension, I can change anything at all in a request and re-send. Anything.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

Dave Anderson wrote:

Just1Coder wrote:

How can I prevent posting of a form from any other site but the site
the form lives on?

Why bother?

It sounds like you are attempting to put some of your security on the client
side. This is trivial to defeat. Heck - with the FireFox LiveHTTPHeaders
extension, I can change anything at all in a request and re-send. Anything.

Yes, I know but there are several ways around it, but I have been asked to.

Didn't know about that LiveHTTPHeaders extension though, very cool.

"Just1Coder" <ju********@yahoo.ca> wrote in message
news:u0****************@TK2MSFTNGP14.phx.gbl...

Ah, I see.

So a random number or GUID or something like that should work OK?

Yes, put that random in the session state and check it after a post.