Glogger Steven wrote:
Well, IMHO this is no better than my solution using JS What do you do if someone has cookies disabled? I for my part often reject cookies 'just because' when I dont feel they're really needed...
java script is client side. it only prevents that a form can be submittet. what if you circumvent that and post directly? as we know, simulating a post ist quite easy: telnet to host port 80:
"POST /superposter/gna.php HTTP/1.1\r\n Host: www.blabla.ch \r\n User-Agent: whatever you want\r\n Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai n;q=0.8,image/png,*/*;q=0.5\r\n Accept-Encoding: gzip,deflate\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n Keep-Alive: 300\r\n Connection: keep-alive\r\n Referer: www.blabla.ch/urli/index.php Cookie: PHPSESSID-1111111\r\n Content-Type: application/x-www-form-urlencoded\r\n Content-Length: 100\n \r\n action=login&nick=username&password=password&submit=LOGIN \r\n"
if you get that you cannot check if he used your javascript or not ,-) he might check your session-id, but what if the client gets a session id and uses that one to fill in the form. that soo easy :-) (i'm using such a tool as a proxy for an online game since about 5 years ,-))
you still didn't get the point
Look at my post from 15.08.2006 18:59
I dont prevent a user from sending the form - I know this is pointless But rather I use JS to write some (optionally dynamic) value into the form before sending. If that value isn't present in the POST request the formmailer script refuses to send the mail. This effictively defeats any non-JS-aware machine including spammers, robots and lynx. Like i said earlier this can be combined with dynamic data close to what Markus Wild also said for example by using some varying string containing a timestamp or something like that. This is a step more effective than Markus' idea with the session as it not only requires to gather a very up2date version of the form but additionally the execution of JS You could write a function which calculates the value so you can't just easily copypaste it out and so on...... The forms I'm using this on have not ever been abused anymore since the introduction of the JS-Check since it would really require massive user interaction
Matt