Copy link to clipboard
Copied
How else to I protect a form submit cfm page to make sure the request only comes from pages in my own site?
So far I have this
<cfif Not cgi.REQUEST_METHOD eq "POST">
<cflocation url="../index.cfm" addtoken="no">
</cfif>
We do the following in our application.cfm:
<cfif isDefined("FORM.fieldNames") and len(FORM.fieldNames) and NOT reFindNoCase("^(http|https)://#CGI.HTTP_HOST#/",CGI.HTTP_REFERER)>
<cfabort showerror="Forbidden Request - POST request denied.">
</cfif>
Copy link to clipboard
Copied
I don't believe you can. You can check the CGI.HTTP_REFERRER value, but that is easily spoofed if someone is looking to post to your page. CFCaptcha might be worth a look though. Care to elaborate on the problem?
Copy link to clipboard
Copied
I basically only want people to post here if they have been authenticated users
Copy link to clipboard
Copied
Then in your application.cfc's onRequestStart() method, you need to check authentication. If they're not authenticated do a redirect to a failure page or return a 403 response. As long as all that happens in onRequestStart(), the page will never be processed.
Copy link to clipboard
Copied
We do the following in our application.cfm:
<cfif isDefined("FORM.fieldNames") and len(FORM.fieldNames) and NOT reFindNoCase("^(http|https)://#CGI.HTTP_HOST#/",CGI.HTTP_REFERER)>
<cfabort showerror="Forbidden Request - POST request denied.">
</cfif>
Copy link to clipboard
Copied
Steve and Owains answers are great!!