Well, then the rogue site does this:
1. page scrape of SEARCH.CFM (session is generated)
2. execute RESULTS.CFM (session is valid)
I started to write the same thing you did and thought of this scenario.
Still trying to think of a better way...
David L. Penton, MCP
Consultant
"Mathematics is music for the mind, and Music is Mathematics for the
Soul. - J.S. Bach"
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Billy Cravens
Sent: Thursday, February 01, 2001 1:15 PM
I really like that idea. Do something that is unique, like,
<cfset session.timestamp = URLEncodedFormat(now())>
<input type="hidden" name="uid"
value="<cfoutput>#session.timestamp#</cfoutput>">
on action page:
<cfif IsDefined("session.timestamp")>
<cfif session.timestamp eq form.uid>
form_processing_here
</cfif>
</cfif>
perhaps you could do something in a cfelse clause that redirects them to
your home page (free traffic, for your site, not theirs), gives them a
"go away" message, interfaces with the FBI's NCIC database to place them
on the top ten most wanted list, etc.
--
Billy Cravens
HR Web Development, Sabre
[EMAIL PROTECTED]
Andrea Loubier wrote:
>
> in that case,
>
> how bout setting a session variable on the form page (which can't be seen
> using 'view source' on the form page) and then running a cfif on the post
> page to see if the session variable is equal to whatever you told it to
be.
> if it is than proceed with the submit, if it isn't than spit out HTML code
> that says 'error, this request was not submitted by the right page'.
> again, the cfif code can't be seen when they view source so they shouldn't
> be able to know what you're checking for.
>
> or some combination of that, HTTP referer and the java suggestion.
>
> >HTTP_REFERER can be easily spoofed. It is only a precaution - I'll bet
that
> >when you do that, even when you contact the other sites, they may *still*
> >use your search afterwards.
> >
> >
> >David L. Penton, MCP
> >Consultant
> >"Mathematics is music for the mind, and Music is Mathematics for the
> >Soul. - J.S. Bach"
> >[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
>
> Andrea Loubier
> [EMAIL PROTECTED]
>
> Gothica Creative
> Digital Media Specialists
> 1801 Laws Street
> Dallas, Texas 75202
> 214.720.0884 voice
> 214.303.0698 fax
-------------------------------------------------------------------------
This email server is running an evaluation copy of the MailShield anti-
spam software. Please contact your email administrator if you have any
questions about this message. MailShield product info: www.mailshield.com
-----------------------------------------------
To post, send email to [EMAIL PROTECTED]
To subscribe / unsubscribe: http://www.dfwcfug.org
