[thelist] CF: source of POST variables

Raymond Camden jedimaster at macromedia.com
Fri Aug 2 09:18:01 CDT 2002


A session would help, but it could still be hacked, it would just be
harder. I'd have to hit your site so that you gave me the cookies and
assigned me the session data. I would then need to make my own form
page, and when I put it on my local machine, run it, and it posts ot
your server, it would still pass the cookies because all cookies for a
site are passed in when you hit that site. (Make sense?)

One way to do it would be:

User hits your form. You generate a UUID and store that as a hidden form
value. You store that same UUID in the database.
User hits submit on your form. You check to make sure the UUID exists.
Process the form and then delete the UUID from the db.

Of course, if I were using a HTTP post to hack your site, I'd simply hit
your action page first and rip out the UUID. But it would be more
difficult for the hacker at least.

=======================================================================
Raymond Camden, ColdFusion Jedi Master for Macromedia

Email    : jedimaster at macromedia.com
Yahoo IM : morpheus

"My ally is the Force, and a powerful ally it is." - Yoda

> -----Original Message-----
> From: thelist-admin at lists.evolt.org
> [mailto:thelist-admin at lists.evolt.org] On Behalf Of jon steele
> Sent: Friday, August 02, 2002 10:08 AM
> To: thelist at lists.evolt.org
> Subject: RE: [thelist] CF: source of POST variables
>
>
> --- Raymond Camden <jedimaster at macromedia.com> wrote:
> > As far as I know, http_referer is your only real choice.
> You can devise
> > a hack like putting a form variable in the original form
> with a special
> > name based on the day, perhaps, and then check for that on
> the action
> > page. This would potentially stop someone who stole your
> code yesterday,
> > but, it's still not a great solution.
>
> That's something to work with, thanks...maybe I can come up
> with some random algorithm based on
> the hour, or the timestamp rounded to 1000 or something.
>
> Would sessions be reliable? i.e setting a session when the
> user leaves and reading it when they
> return...mt first impression is no, as there is a good chance
> the session may be terminated, which
> will keep valid users out.
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com
> --
> For unsubscribe and other options, including
> the Tip Harvester and archive of thelist go to:
> http://lists.evolt.org Workers of the Web, evolt !
>





More information about the thelist mailing list