[nycphp-talk] NEW PHundamentals Question
Dan Cech
dcech at phpwerx.net
Mon Feb 9 22:39:57 EST 2004
Jeff Siegel wrote:
> Almost every website has an HTML form for visitors to complete. But how
> do you know that the person who completed the form did so through your
> website? The question for this month's PHundamentals article is: What
> method(s) do you use to assure that no one has 'spoofed', i.e.,
> 'forged', a form submission?"
I guess the real question here is what you are trying to guard against.
One attack against forms is for a script to simulate multiple users,
causing the system to potentially crash under the load.
The only defense I know of against this is the dynamic image, which
essentially requires a human operator to be able to decipher the image.
The second attack you are trying to protect against is that a user may
maliciously submit a form in an attempt to 'spoof' or 'forge' a
submission by another user. For this type of attack I would recommend a
one time token system backed up by a fairly secure session management
system to tie each form to a session (and time) and then protect that
session.
Dan
More information about the talk
mailing list