httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ras...@madhaus.utcs.utoronto.ca
Subject Re: Restricting POST access from external forms?
Date Wed, 01 May 1996 05:36:05 GMT
> Is there any way to restrict a POST method request if the originating
> form is not local?  As far as I can tell, there isn't, but I could
> have missed something.  Checking HTTP_REFERER in a CGI script will do the
> trick, but it would be nice to add a configuration directive for this.

Ugh!  Yes, I am replying to my own stupid question.  Too much coding, not
enough sleep.

This obviously can't be done by the server.  Some sort of cookie mechanism,
or an intelligent one-time password scheme passed from page to page might
do the trick.  The question being, "How do you stop someone from sending
fake POST data to a CGI?"  It would be nice if one could trust hidden
form fields to not have been tampered with by the client.  Best way is
probably the one-time password/checksum idea.  Regardless, it's not an
Apache issue.

-Rasmus

Mime
View raw message