How to lock down a form handler .cfm to prevent request forgery

Forum|Forum|17 years ago
February 1, 2009
2 replies
940 views

I've got a simple wish, to only allow my form handling CF page to accept POST input from the server the page resides on. HTTP headers can be spoofed so won't suffice. Is there a way to do this?

This topic has been closed for replies.

N

Newsgroup_User

Inspiring

try this:

on the form's page, set a session variable with a unique value, like a
uuid, and store this var in a hidden form field.
on the form's action page check that the hidden field exists, the
session var exists and that they match before accepting the post.

if someone posts directly to your action page, they won't have the
session var defined.

you need to have session management enabled in cf admin and your
application.

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/

S

SauleveAuthor

Participating Frequently

This helps, but the user can still visit the form page, which sets the form session token. A simple right click will show the hidden form field by viewing page source. The submission form can be simply saved to local, modified and submitted to the application.

This at least means attack could only come from someone entitled to log on, and that every attack needs a visit to the genuine form to grab the token. I'm guessing coupled with http.request validation this would prove some aggravation to a hacker at least.

Any other suggestions on how to tie down the from handler to POST requests originating on the server only?

D

Dan_Bracuk

Inspiring

Set a session variable to a random value on your form page and check for it on your action page.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded