I'm sure you know one heck of alot more that me... no dought! But in cf is
it not possible to write a subscript into the appication file to check where
a link is coming from and redirect it if it is not from the same domain? Or,
would the HTTP_REFERER override is anyway? I'm most likely wrong, and I
agree with the fact that unless you are writing a major porn site that is
just asking to be hacked, it is not worth the time or trouble....
Rino
>From: Dave Watts <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: CF-Talk <[EMAIL PROTECTED]>
>Subject: RE: Protect action pages
>Date: Fri, 27 Feb 2004 16:40:47 -0500
>
> > Not so much, because I can view the source of your original
> > form, find all the hidden fields and their values and add
> > them to my spoofed form.
> >
> > This is very difficult to do!!!!.
>
>Yes, and in most cases it's probably not worth your trouble to try to
>prevent it.
>
> > Would sessions help? Not allow access to the action page if
> > a session is not defined? Much beyond that I'm not sure what
> > is practical.
>
>Yes, sessions could help, although you could get the same effect from any
>custom token you generated, as long as you create the token prior to
>getting
>to the action page.
>
>Dave Watts, CTO, Fig Leaf Software
>http://www.figleaf.com/
>phone: 202-797-5496
>fax: 202-797-5444
>
>
>
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
