Skip to main content
Z
zealot_huyi
Participant
April 7, 2009
Question

Coldfusion POST method security

  • April 7, 2009
  • 1 reply
  • 641 views

I am implementing a registration page where users can input their personal data. The page is named registration.cfm. The page then sends the data to itself via a form POST method for further processing. In practice, what is the best security framework to ensure that the data passed was from the original registration.cfm page? Thanks in advance.

This topic has been closed for replies.

1 reply

A
Anonymous
April 8, 2009

The easiest way would be to check CGI.HTTP_REFERER to see if it's your registration.cfm page. Another way to go about it would be to check for session values to make sure that a session value set on the initial page load matches the one currently in session. Something like this:

<cfparam name="Session.FormID" default="#CreateUUID()#" />
<cfif IsDefined("FORM.Fieldnames")>
     <!--- The form has been submitted --->
     <cfparam name="FORM.FormID" default = "" />
     <cfif FORM.FormID NEQ Session.FormID>
          <p>Bad user, not sent from our site.</p>
          <!--- Five them a new form id, just to make it a little harder --->
          <cfset Session.FormID = CreateUUID() />
     <cfelse>
          <!--- Continue processing your form --->
     </cfif>
</cfif>
<!--- Lots of other code --->
<cfform>
     <!--- Lots of other form fields --->
     <cfinput type="hidden" name="formid" value="#Session.FormID#" />
</cfform>

Hope that helps,

Daniel Short

Adobe Community Expert   

M
Mark.Gregory
Known Participant
April 10, 2009

If security is a concern, keep in mind that headers can easily be messed with. You might want to try out the Tamper Data addon for Firefox to see what I mean. Even if the form was submitted from the correct page, it won't mean that your user input is clean and safe.If you haven't seen what can so easily be done, you are about to be terrified hehe... Form input is a great place for a blind SQL injection attack. Some times developers will cover url variables pretty well, but not cover form input so much.

Best practice is to assume that any and all user input is going to be used as an attack, and treat it accordingly.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices