A way to check if the form post came from the local website? Else deny?

listenmirndt

Hi guys, I am looking for a way to check if a form post originated from the local site, or a remote site,

I mean, I would like to prevent remote form post's from hijacking my form script,

So if the form submitted to my script from the same domain it was running on, thats OK, but if the form post came from http://external-domain.com, that would be rejected..

Can anyone suggest a way to do this? The issue, is that the local form is not always going to be at the same location on my website, so I can't just use a plain http_referer check,

Any ideas would be great,
thanks!
-Arron

NogDog

Firstly, don't use the $_SERVER['HTTP_REFERER'] value. It is not a required header, and some browsers will not send it under perfectly valid usage (and it is easily spoofed by malicious users).

One possibility would be to use sessions, have your form page generate a random value, put that value in a hidden form field and save it in $_SESSION, then on form submission check that the value in the form matches that in the session data.

listenmirndt

Ok, thanks for the suggestion, $_SESSION is not really viable for my setup, any other possibilities

laserlight

Write your script such that it does not matter where the form data comes from. In other words, instead of trying to put the client under your control, just do not trust the client.

listenmirndt

Again, not really viable, but thanks for the suggestion, but the sounds of it, there is not information to compare about where a form is submitted "From"... ?

NogDog

All you get are the HTTP headers sent by the client. The only header I know of that tells where you are coming from is the HTTP_REFERER, and as I mentioned above, it is not optional and entirely spoofable. While I can't imagine why sessions are not an option, the only other thing I can think of off the top of my head would be to put a timestamp value in a hidden field in the form, then in the form-handler script check that it is not more than some arbitrary number of seconds less than the current timestamp. This is still hackable if someone looks at the HTML form code and figures out that the number is a timestamp -- so I suppose you could do some mathematical transformation of the value that would make it less obvious?

laserlight

Again, not really viable, but thanks for the suggestion, but the sounds of it, there is not information to compare about where a form is submitted "From"... ?

Sessions are not viable, and attack proofing your form processing code is not viable? Honestly, it is starting to sound like providing your form over the Internet is not viable to begin with, so you are attempting to provide a wrong solution (e.g., ideally you are looking to restrict your users to isolated computers under your physical control).

Why is it so important that the form be submitted from your webpage?