The only fool proof method is is to have the application generate an image. The image will contain a random number or series of letters. The user must type these into a form field to continue. It's a password that only humans can read. It won't prevent an outside script from 'trying' to access the system.. but since the script can not read what is on the image then it has to try 50,000,000 keys until it finds the right one.
It works. -Kevin ----- Original Message ----- From: "Warrick Wilson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 30, 2002 1:52 PM Subject: [PHP] Is it possible to verify that a form submision is not being "spoofed"? > I'm having a hard time explaining what I'm trying to do, which is why I'm > having a hard time finding anything online/in manuals... > > My site serves a form for the user to fill in. User has been authenticated > with a login and we're using PHP 4 sessions. When using Internet Explorer, > the user can hit Ctrl-N and get a new window, but his session for that new > window is still valid. He could then load up a local page and submit it to > the target of my original form. > > Is there some way of detecting that the submission came from a page that > hadn't been served up by my application, but was instead sent in from some > other "foreign" form? > > Or maybe the question is - how can I kill off sessions if the user navigates > away from the page that I sent him originally? > > > Warrick Wilson > mailto:[EMAIL PROTECTED] > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
