Wouldn't this be a good place to use request scope variables instead of session?
Just asking, never done anything like this before. Steve -----Original Message----- From: Igor Ilyinsky [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 2:47 PM To: CF-Talk Subject: RE: CFMX Form Submission Hacking. Still not sure how what you're saying works. Let me give you a scenario. User clicks checkout on the e-commerce app. from his shopping cart. --> request gets sent to form page; session.notahacker = 1 <-- The page comes up with a request for his CC info in a form. The same form has a hidden field with the total purchase amount ($35) User Clicks Save, to save the html page to his desktop. User Edits the HTML page to change the amount from $35 to $3 User Opens the page in a browser from his local machine. User clicks submit from this page to my web server --> request gets sent to submit page; session.notahacker is still 1 <-- What was solved? -Igor -----Original Message----- From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 1:38 PM To: CF-Talk Subject: Re: CFMX Form Submission Hacking. Form Page - set the session variable equal to 1 Processing Page - check to see if the session variable equals 1, and if so, process the form...... THEN.... set the session variable to 0 and carry on. That should work for you. Mike ----- Original Message ----- From: "Igor Ilyinsky" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 2:24 PM Subject: RE: CFMX Form Submission Hacking. > I'm not sure how that would work Mike... If I set the session variable, and the user comes back (within the session timeout timeframe) wouldn't the session variable persist? It's not like the session is tied to the page itself. > > -Igor > > -----Original Message----- > From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2003 12:51 PM > To: CF-Talk > Subject: Re: CFMX Form Submission Hacking. > > > Why not just set some kind of variable on the form page itself, such as > session.isOnMyServer > and then on the processing page, check for the existence of that variable... > > Would that not work for you? > > Mike > > > ----- Original Message ----- > From: "Igor Ilyinsky" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Monday, June 23, 2003 1:40 PM > Subject: RE: CFMX Form Submission Hacking. > > > > I realize this... It will not completely prevent hacking... > > but I would like to make sure that if a person is on my form page, they > are not able to save the page, edit some of the hidden form variables, and > then submit the page to my server. I am aware that the referrer can be > simulated, but that is a deeper degree of the issue I am trying to solve. > > > > -Igor > > > > -----Original Message----- > > From: Dave Watts [mailto:[EMAIL PROTECTED] > > Sent: Monday, June 23, 2003 11:41 AM > > To: CF-Talk > > Subject: RE: CFMX Form Submission Hacking. > > > > > > > Does anyone have a quick snippet of code that does a regex > > > match against the referrer to check if a form was submitted > > > from an internal page (with attention to ports if possible). > > > Too lazy to write it myself, so hoping someone does this to > > > prevent hacking of form submissions. > > > > That wouldn't prevent "hacking of form submissions", as the referer is > > provided by the browser, not the server. Also, I'm not sure what you mean > by > > "attention to ports". > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > voice: (202) 797-5496 > > fax: (202) 797-5444 > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
