>
> This can't stop anything. Both HTTP_HOST and HTTP_REFERER are set by
> the
> browser, and can be changed by anyone writing an HTTP client:
>
> <cfhttp ...>
> <cfhttpparam type="header" name="Host" value="...">
> <cfhttpparam type="header" name="Referer" value="...">
> </cfhttp>
>
How about a hidden flash app that uses the xmlload method to grab the
http_host/http_referer from the server in a hash format that is then
passed with all forms/urls? On the next pages, the hash returned by
flash would be compared with a hash of the
cgi.http_host/cgi.http_referer returned by CF/web server. While they
could fake the http_host/http_referer in the web client, it would be
different from the value returned by flash, so you could reject it.
I don't know enough about flash to know if that's easy to get around.
Steve Nelson
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
