2 Replies Latest reply on Apr 10, 2009 10:17 AM by Mark.Gregory

    Coldfusion POST method security

      I am implementing a registration page where users can input their personal data. The page is named registration.cfm. The page then sends the data to itself via a form POST method for further processing. In practice, what is the best security framework to ensure that the data passed was from the original registration.cfm page? Thanks in advance.

        • 1. Re: Coldfusion POST method security
          Daniel Short

          The easiest way would be to check CGI.HTTP_REFERER to see if it's your registration.cfm page. Another way to go about it would be to check for session values to make sure that a session value set on the initial page load matches the one currently in session. Something like this:


          <cfparam name="Session.FormID" default="#CreateUUID()#" />
          <cfif IsDefined("FORM.Fieldnames")>
               <!--- The form has been submitted --->
               <cfparam name="FORM.FormID" default = "" />
               <cfif FORM.FormID NEQ Session.FormID>
                    <p>Bad user, not sent from our site.</p>
                    <!--- Five them a new form id, just to make it a little harder --->
                    <cfset Session.FormID = CreateUUID() />
                    <!--- Continue processing your form --->
          <!--- Lots of other code --->
               <!--- Lots of other form fields --->
               <cfinput type="hidden" name="formid" value="#Session.FormID#" />


          Hope that helps,


          Daniel Short

          Adobe Community Expert   

          • 2. Re: Coldfusion POST method security
            Mark.Gregory Level 1

            If security is a concern, keep in mind that headers can easily be messed with. You might want to try out the Tamper Data addon for Firefox to see what I mean. Even if the form was submitted from the correct page, it won't mean that your user input is clean and safe.If you haven't seen what can so easily be done, you are about to be terrified hehe... Form input is a great place for a blind SQL injection attack. Some times developers will cover url variables pretty well, but not cover form input so much.


            Best practice is to assume that any and all user input is going to be used as an attack, and treat it accordingly.