> > > I have opted to circumvent "unnecessary processing" by > > > passing these elements through form fields, which improve my > > > application design and performance. My only issue is making > > > sure that the submission in authentic, which is not that hard > > > to do, only I was hoping that someone here was clever enough > > > to have done it before me. > > > > Why not stick the prices in the Session scope, then, if you > > simply don't want them to change during their transaction? > > I don't use the session scope because it is a clustered > application. I don't like overloading the client scope with > unnecessary information either.
I guess we differ on our definition of unnecessary information. The fact remains that your application will be vulnerable to simple price-changing attacks, if you allow that data to be accepted as-is from the form. If that doesn't bother you, why not just look at CGI.HTTP_REFERER in your action page and be done with it? As for making sure the submission is authentic, it's harder to do than you imply. HTTP is a pretty simple protocol, which isn't designed to manage state information. Using the telnet client on nearly any machine, one can send an HTTP request that is indistinguishable from what your browser sends. Using common, freely available tools, one can see what HTTP traffic looks like, in order to build the right request. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Host with the leader in ColdFusion hosting. Voted #1 ColdFusion host by CF Developers. Offering shared and dedicated hosting options. www.cfxhosting.com/default.cfm?redirect=10481 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
