RE: Spammer fills out my order form - how to stop

[Micha Schopman]

You might solve this issue with the common used challenge response
security. It allows users to only post a form once per form call, and
zeros misuse of forms. 

The idea behind this is you create a value, serverside with ColdFusion
and verify this value against a dynamic created MD5 string.

Here is an example:


The form.cfm: 

You create a challenge here, a dynamically created value using
getTickCount() here (because getTickCount() is faster than createUUID())
and you save that challenge into a session for that specific user (this
is important because you need to use it on the backend for validation).




function createResponse(){
        var response = document.forms['myform'].challenge.value +
hex_md5(document.forms['myform'].email.value);
                document.forms['myform'].response.value = response;
        return true;
}



<form method="post" action="index.cfm?event=validate" name="myform"
onsubmit="return createResponse()">
        <cflock scope="session" type="exclusive" timeout="15">
                <cfset session.challenge = GetTickCount()>
                <input type="hidden" name="challenge"
value="#session.challenge#">
                <input type="hidden" name="response" value="">
        </cflock>
        
        <label for="email">Please login:</label>
        <input type="text" name="email" id="email" value="" />

        <input type="submit" value="login">
</form>




Now on the backend you reassemble these values and check the challenge
with a response. If they are equal the form post is valid, else ..
byebye request.

cflock scope="session" type="readonly" timeout="15">
        <cfset challenged = session.challenge & Hash(form.email)>
        <cfset responded = form.response>
        <cfset session.challenge = "">
</cflock>

<cfif challenged NEQ responded>
        <script type="text/javascript">
        alert('Invalid attempt');
        </script>
        <cfabort>
</cfif>

You need A Javascript MD5 library for this, but they can be found
anywhere. Make sure you pick a standards complaint one or else MD5
strings created by ColdFusion will not match the ones created with
Javascript.


Micha Schopman
Software Engineer

Modern Media, Databankweg 12 M, 3821 AL  Amersfoort
Tel 033-4535377, Fax 033-4535388
KvK Amersfoort 39081679, Rabo 39.48.05.380



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Special thanks to the CF Community Suite Silver Sponsor - New Atlanta
http://www.newatlanta.com

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:187374
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54