Problem
Any (unprotected) forms on your web site can be vulnerable to malicious users POSTing to the form from their computer, and at a simpler level double form posting by a user.
Solution
Setting a session variable as the form page is loaded enables preventing the form handling page from being called from any but the intended page (or pages) and stops the user double submitting the form inadvertently.
Detailed explanation
Submit a form, then try refreshing on the form process page, then try using the browsers back button to go back and resubmit. The form will only be available to be resubmitted if called (or refreshed) from the intended page.
MoreSecureForm.cfm
<html> <head> <title>Untitled</title> </head> <body> <form action="moreSecureFormProcess.cfm" name="moreSecureForm" method="POST"> <input type="Text" name="testfield"> <cfset session.formName="moreSecureForm"> <input type="submit" value="Click!"> </form> </body> </html>
moreSecureFormProcess.cfm
<html>
<head>
<title>Untitled</title>
</head>
<body>
<cfif IsDefined("form.testfield")>
<cfoutput>
The value of your text field was :"#form.testfield#"<P>
</cfoutput>
<cfif IsDefined("session.formName") and session.formname eq
"moreSecureForm">
<!--- we know the form has been submitted from the
original more secure form page so continue form processing--->
Session variable matches, so process form.<p>
<!--- process here --->
....processing ...<br>
<!--- now delete the session variable to prevent
resubmission--->
... done processing, tidy up.
<cfset StructDelete(Session, "formName")>
<cfelse>
<!--- No session variable found corresponding to
calling form name. Form is either spoofed or has
already been submitted --->
This form has either already been submitted or is being called from
the wrong page.
</cfif>
</cfif>
</body>
</html>
+
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License. Permissions beyond the scope of this license, pertaining to the examples of code included within this work are available at Adobe.
Report abuse
