What would be an appropriate length of time for a session variable for a hacker who's doing what you described:
"If they read in the form page and then submit it using a script for many days without re-reading the original form it will appear to the server that they took days to fill." Would the same hold true for session session variables? -----Original Message----- From: Al Musella, DPM [mailto:[email protected]] Sent: Friday, February 15, 2013 11:18 PM To: cf-talk Subject: RE: Problem with Hackers on Donation form through Authorize.net If they read in the form page and then submit it using a script for many days without re-reading the original form, it will appear to the server that they took days to fill. So testing for more than a few hours should be good... sessions might work but they should expire quickly... then if the session variable is not present you know they took too long. At 10:04 PM 2/15/2013, you wrote: >You mean, by staying on the page so long that it's an indication >that he's hacking the form or the cfc method that does the processing >instead of doing a normal form submit like typical user would? > >And what if the hacker has cookies disabled? And are you suggesting that >a session variable wouldn't be as good as a cookie? > >Thanks for the feedback... > >Rick ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354554 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
