Geek Answers Handbook

Confirm the origin of FORM POST to make sure it came from the same server / application

I want to find an agnostic platform / language solution to ensure the origin of POST POST from an expected source. That is, Page1.aspx on page 2.php on the same website.

In particular, I am trying to do this to prevent falsification of the request.

+6
csrf
source share
3 answers

Use a hidden field in your form that contains the token created by your application. Store the token in a user session. When the form is submitted, your application will verify that the value of the hidden field is identical to the value stored in the user's session.

If it is identical, then you know that the form presented appears where it is expected.

+8
source share

Old thread, but may be useful.

If you do not have a set of information about the session (the best option), you can include a hidden field with an encrypted timestamp, and then compare it (after decryption) with the current time at the end of the process to make sure that it is relatively close and therefore same as you see fit.

+1
source share

You can include a hidden field in the form, which will be SHA1Hash ("some-secret" + Remote_IP + PerSessionSecret).

PerSessionSecret is what you automatically generate at the start of a session. "some-secret" is a global secret value that will help a little if the randomly generated PerSessionSecret is not random enough.

Then do the same calculation when submitting the form, and you know that it is most likely sent from the same client to which it was sent. (Of course, if you have several clients behind a single address, such as a proxy or NAT, you cannot distinguish them reliably).

0
source share

More articles:


All Articles