I am not following you too much but, from what I am getting at you should simply just need to make sure to have a/the script check referrers and if the referrers are not from site A then simply invalidate the form.
It'll be PHP, and to clarify, I want to ensure that you can only submit form data using the supplied form, and not a form from an outside site (So only site A can post information to any forms on site A).
I heard that using the reffer method isn't reliable because it be easily faked.
You actually don't even need to use a cookie or a session as using your second option is all that is needed.
In the script have it check the domain of the referrer to the script and if the domain is site "A"'s domain then display the html for the form and so forth, otherwise display an error message with some custom text/explanation/whatever.
That should be feasible enough to accomplish what you are wanting.
yuo could write a variable using a randomly generated integer or random pieces of a string of character groups and md5() the resultant string, then store it in database or flat file as the form page is loaded, then when you get to the script processing page you can query the database or flat file and if that value doesnt exist matching the hidden value (using input type=hidden) submitted with the form, then the action faikls, and you can have a handler to re-direct or something.
for example. in form page (form.php)you can do:
$stored=md5($temp); //this value is stored in database
//either flat file or mysql/postgres, whetever
//your html stuff goes here, create form, etc.
//somewhere after the <form action="result.php" method="post">
//and the form submit button, insert this:
<input type="hidden" name="valid_str" value="<?php echo $temp;?>">
then in the result.php page, all you have to do is:
//NOW we query the database/flat file and get the $stored value
//and then check values to match, if not, the script redirects to form //page again
if($check != $stored)
//validation failed, redirect
//otherwise, check has been validated, so go ahead and
//process form data
Still easy to defeat.... as I read his post, the intent is to stop some jerk from site B from cloning his form data.. could just as easily encrypt the HTML in it's entirity, so viewing source code, you cant even SEE the value... (overly complex) or you can use sessions, if encrypted, session data cannor be passed from site B to site A when site A is looking for session data from site A only. (match up the session ID's, no need for a hidden form field if you set a session cookie, with session ID encrypted- also more complex)
there's lots of options to this problem, but none that are foolproof.
of course, we COULD change the sequence around taht I have put, and instead send the md5()'d random sequence in the form, and match it to the raw sequence saved in database or flat file, md5() is the ONLY simple encryption method that you cannot reverse-engineer or de-crypt (without a LOT of processing power).. and of course, instead of a random number generator as I posted, you could simply take pieces of selected strings or any other sequence desired and encrypt that with MD5()..
if the only value they can read is the md5(), they have NO way of knowing just WHAT has been md5'd, so they have really no way of
duplicating. cloning or hacking in any realistic sense..
they could still capture your form in an IFRAME window in their webpage and clone your form that way , and they would be USING your form.. but again, you can break that by putting in your html that your page loads ON TOP of anything else (I broke past lycos free hosting advertising stuff that way, until they kicked me out.. hehehe)
so I'll still say MD5 of a random value is yoru best bet, just probably better to send the md5() in the form hidden field instead of the raw value, then check the md5() against the stored value in your flat file or database, as long as you keep your DB cleaned up and no stray values hanging around (set tmiestamp to them and run a cron job to delete them after a 10 minute period or something like that)
The thing with the hidden form is that the processing script will take that value, decrypt it and verify it. There isnt much stopping me from taking the encrypted value from the hidden field and sending that in my own form.
Originally posted by Hero Doug The thing with the hidden form is that the processing script will take that value, decrypt it and verify it. There isnt much stopping me from taking the encrypted value from the hidden field and sending that in my own form.
Hmm how do you mean?? if the random encrypted value is .. RANDOM, and a new value is generated EVERY TIME the page is loaded, you will have to go get this value again and again EACH TIME before you can use it on your own form.. meaning.. for every time you want to submit using your own form from site B, you have to first go to site A and generate a new random MD5() value in the hidden field, and then go back to your form on site B and submit that value.. is that what you are saying? Seems hardly worth the trouble, it "COULD" be done by a cross site script, yes, but that can also be avoided or prevented with a little ingenuity....
the most secure way you can do this and ensure only YOUR form from YOUR site is being used is to use SSL (https://) connection.
I just thought of a great way.
Send either the Size of the file and/or the date last modified.
Then you can check it with the file on server.
Inputing extra data will change those above values.
Also you can check for ip [which can be spoofed]
Originally posted by Hero Doug
Use the HTTP_REFERER function to verify the URL that the form was sent from.
HTTP_REFERER in not raliable and can be very easly spoofed to be anything you want it to be.
One other option- if you have the GD library enabled in php, you can require a turing number, which can only be read by a human, not by any machine, but that still won't prevent your page being loaded in an IFRAME...
It's a very tough situation.. if you could explain exactly what it is that your form does and why you dont want it submitted from anywhere but yuor own domain, maybe we could help you with a solution.
The referer thing doesn't help as it can be spoofed. The only secure way is to make an image code and the visitor has to enter the image code while scripts can not read or interprete the image. That's how Google and Overture do it. It is the only way
Originally posted by Hero Doug [q]if you could explain exactly what it is that your form does and why you dont want it submitted from anywhere but yuor own domain, maybe we could help you with a solution.[/q]
It's to prevent spamming. Someone I know was just a victim of it, the person used an automated script to flood his forum and contact form with fake posts. I want to try and avoid that myself.
Then use a turing number system. this requires human input, and you can also set a flood limit per user, set a limit on posts per day by any one user, and require all new signups to be activated and verified before they can post.
much simpler than trying to lock down a form to your website only.
The easiest way has already been mention - each time the page containing the form is loaded, generate a random number and store it in the database along with a timestamp of when it was created. On the form handling page, check for any 'expired' details (maybe expire them after 2 hours?), then process the form. Check the random value it sent exists in the database, delete the entry from the db and proccess the form.
They could start 'ripping' the random number from you though, but the chances are their server will have a static IP. If you can isolate that address and find it out, you could either block access altogether, or do the much more fun thing of feeding them absolute crap back