Andrew.
>I used to create a uuid, store it in a persistent scope, hash it, put
>that in the hidden form field and then do a comparison on the form post
>side. I thought this would stop scrapers as they couldn't know the hash
>source.
>
>I threw this out here in another thread and asked if it had holes. Dave
>Watts pointed out that anyone can visit the form page and take the
>hidden field and the key pair cookie values. Once they have those and
>can fake headers they can blow right past pretty much anything but the
>gif-code thingie, but even that just requires a human to submit.
>
>I'd recommend doing all of the tests you can think of. Referrers,
>request method, hidden fields, input scrubbing, cfqueryparam etc. But I
>don't think the solution can be made truly ironclad.
>
>--------------------------------------------
> Matt Robertson [EMAIL PROTECTED]
> MSB Designs, Inc. http://mysecretbase.com
>--------------------------------------------
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
