Skip to main content
nikos101
nikos101
Inspiring
January 26, 2012
Answered

Protect a form submit cfm page

  • January 26, 2012
  • 2 replies
  • 1319 views

How else to I protect a form submit cfm page to make sure the request only comes from pages in my own site?

So far I have this

<cfif Not cgi.REQUEST_METHOD eq "POST">

  <cflocation url="../index.cfm" addtoken="no">

</cfif>

This topic has been closed for replies.
Correct answer Steve Sommers

We do the following in our application.cfm:

<cfif isDefined("FORM.fieldNames") and len(FORM.fieldNames) and NOT reFindNoCase("^(http|https)://#CGI.HTTP_HOST#/",CGI.HTTP_REFERER)>

  <cfabort showerror="Forbidden Request - POST request denied.">

</cfif>

2 replies

S
Steve SommersCorrect answer
Brainiac
January 26, 2012

We do the following in our application.cfm:

<cfif isDefined("FORM.fieldNames") and len(FORM.fieldNames) and NOT reFindNoCase("^(http|https)://#CGI.HTTP_HOST#/",CGI.HTTP_REFERER)>

  <cfabort showerror="Forbidden Request - POST request denied.">

</cfif>

nikos101
nikos101Author
Inspiring
January 27, 2012

Steve and Owains answers are great!!

Owainnorth
Owainnorth
Inspiring
January 26, 2012

I don't believe you can. You can check the CGI.HTTP_REFERRER value, but that is easily spoofed if someone is looking to post to your page. CFCaptcha might be worth a look though. Care to elaborate on the problem?

nikos101
nikos101Author
Inspiring
January 26, 2012

I basically only want people to post here if they have been authenticated users

Owainnorth
Owainnorth
Inspiring
January 26, 2012

Then in your application.cfc's onRequestStart() method, you need to check authentication. If they're not authenticated do a redirect to a failure page or return a 403 response. As long as all that happens in onRequestStart(), the page will never be processed.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices