and have an active session with a matching key in the session scope.....seems like it would be a lot of work to create the session, load the form, save the form locally, change the post path, spoof the session, etc. just to post it from somewhere else once. Not bulletproof, but worked well enough for my needs..
On 5/8/07, Maximilian Nyman <[EMAIL PROTECTED]> wrote: > But the only thing I have to do to get around that is to hit the > "live" form, do a View source, get the hidden values and update my > local form with those hidden value(s). > > > > On 5/9/07, Ken Wexel <[EMAIL PROTECTED]> wrote: > > When I ran into this problem previously, I'd set a value into the user > > session and set the same value as a hidden form field. On post, if > > the two didn't match, I knew the posting was invalid. Can be > > something as simple as a long numeric value.. > > > > On 5/8/07, Eric J. Hoffman <[EMAIL PROTECTED]> wrote: > > > That's where I started....but the thing is, I think they can spoof that > > > variable? Or not? > > > > > > > > > -----Original Message----- > > > > > > From: AJ Mercer [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, May 08, 2007 9:53 PM > > > To: CF-Talk > > > Subject: Re: defeating offline form posts > > > > > > Have a look at the CGI variables > > > in particular CGI.HTTP_REFERER > > > This is the page before the current one - it should have your server > > > details > > > in there, other wise discard. > > > > > > > > > On 5/9/07, Eric J. Hoffman <[EMAIL PROTECTED]> wrote: > > > > > > > > Curious question here. If I think about this, if someone takes a > > > form > > > > of ours for login, for example, and makes a local copy on their > > > > machine....and they set the post action to be the live server > > > > authenticate file....what is the best way to detect this and defeat > > > it? > > > > Noone has ever gained access this way as of yet, but we are studying > > > > possibilities, and this seems to me to be an attack vector. > > > > > > > > > > > > > > > > Any thoughts? A check to see if the referrer was the domain > > > > name/login file name? Or can that be spoofed as well then? > > > > > > > > > > > > > > > > Thanks~! > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion MX7 and Flex 2 Build sales & marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277409 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
