Re: [PHP] Is it possible to verify that a form submision is not being "spoofed"?
The only fool proof method is is to have the application generate an image. The image will contain a random number or series of letters. The user must type these into a form field to continue. It's a password that only humans can read. It won't prevent an outside script from 'trying' to access the system.. but since the script can not read what is on the image then it has to try 50,000,000 keys until it finds the right one. It works. -Kevin - Original Message - From: "Warrick Wilson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 30, 2002 1:52 PM Subject: [PHP] Is it possible to verify that a form submision is not being "spoofed"? > I'm having a hard time explaining what I'm trying to do, which is why I'm > having a hard time finding anything online/in manuals... > > My site serves a form for the user to fill in. User has been authenticated > with a login and we're using PHP 4 sessions. When using Internet Explorer, > the user can hit Ctrl-N and get a new window, but his session for that new > window is still valid. He could then load up a local page and submit it to > the target of my original form. > > Is there some way of detecting that the submission came from a page that > hadn't been served up by my application, but was instead sent in from some > other "foreign" form? > > Or maybe the question is - how can I kill off sessions if the user navigates > away from the page that I sent him originally? > > > Warrick Wilson > mailto:[EMAIL PROTECTED] > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Is it possible to verify that a form submision is not being "spoofed"?
This random number, because it is being sent to the user is just as easy to forge as the rest of the fields on the form. The only thing you can do is check the refferer on the submitted page, but alas even this can be forged with enough technohow. Good luck! James -Original Message- From: Cal Evans [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 30, 2002 4:05 PM To: Warrick Wilson; [EMAIL PROTECTED] Subject: RE: [PHP] Is it possible to verify that a form submision is not being "spoofed"? Generate a random number when creating a form, store it in the session and in a hidden on the form. Then when the post comes back, make sure the hidden is there and that it matches the one in the session. Cal * * Cal Evans * Journeyman Programmer * Techno-Mage * http://www.calevans.com * -Original Message- From: Warrick Wilson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 30, 2002 2:52 PM To: [EMAIL PROTECTED] Subject: [PHP] Is it possible to verify that a form submision is not being "spoofed"? I'm having a hard time explaining what I'm trying to do, which is why I'm having a hard time finding anything online/in manuals... My site serves a form for the user to fill in. User has been authenticated with a login and we're using PHP 4 sessions. When using Internet Explorer, the user can hit Ctrl-N and get a new window, but his session for that new window is still valid. He could then load up a local page and submit it to the target of my original form. Is there some way of detecting that the submission came from a page that hadn't been served up by my application, but was instead sent in from some other "foreign" form? Or maybe the question is - how can I kill off sessions if the user navigates away from the page that I sent him originally? Warrick Wilson mailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Is it possible to verify that a form submision is not being "spoofed"?
On Wednesday 01 May 2002 04:05, Cal Evans wrote: > Generate a random number when creating a form, store it in the session and > in a hidden on the form. Then when the post comes back, make sure the > hidden is there and that it matches the one in the session. But the flaw in that is if the nasty user was determined, there's nothing to stop them from: 1) looking at the source of the legitimate page 2) grabbing the 'hidden' value 3) creating their own form along with that hidden value 4) opening a new window 5) loading their own form and submit away. -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* People say I live in my own little fantasy world... well, at least they *know* me there! -- D.L. Roth */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Is it possible to verify that a form submision is not being "spoofed"?
Generate a random number when creating a form, store it in the session and in a hidden on the form. Then when the post comes back, make sure the hidden is there and that it matches the one in the session. Cal * * Cal Evans * Journeyman Programmer * Techno-Mage * http://www.calevans.com * -Original Message- From: Warrick Wilson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 30, 2002 2:52 PM To: [EMAIL PROTECTED] Subject: [PHP] Is it possible to verify that a form submision is not being "spoofed"? I'm having a hard time explaining what I'm trying to do, which is why I'm having a hard time finding anything online/in manuals... My site serves a form for the user to fill in. User has been authenticated with a login and we're using PHP 4 sessions. When using Internet Explorer, the user can hit Ctrl-N and get a new window, but his session for that new window is still valid. He could then load up a local page and submit it to the target of my original form. Is there some way of detecting that the submission came from a page that hadn't been served up by my application, but was instead sent in from some other "foreign" form? Or maybe the question is - how can I kill off sessions if the user navigates away from the page that I sent him originally? Warrick Wilson mailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Is it possible to verify that a form submision is not being "spoofed"?
I'm having a hard time explaining what I'm trying to do, which is why I'm having a hard time finding anything online/in manuals... My site serves a form for the user to fill in. User has been authenticated with a login and we're using PHP 4 sessions. When using Internet Explorer, the user can hit Ctrl-N and get a new window, but his session for that new window is still valid. He could then load up a local page and submit it to the target of my original form. Is there some way of detecting that the submission came from a page that hadn't been served up by my application, but was instead sent in from some other "foreign" form? Or maybe the question is - how can I kill off sessions if the user navigates away from the page that I sent him originally? Warrick Wilson mailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php