validate form submission source

[Hailwood]

Hi guys,

 

 

I have a page which submits a form via ajax

the form submits to add a new user

users can only access this page if they are logged in,

 

 

so my question is how do we validate to make sure that the requests are coming only from that page?

 

 

we thought about validating via the request ip but if the form is submitted via ajax would that not just be the clients ip?

 

 

Regards,

Hailwood

[shadiadiph]

you could maybe save them in a temp table on the database until the process is complete can't use just the ip address some are shared by thousands of people mybe phpsessionid and another value like strtotime and their guestid or userid

[5kyy8lu3]

use server variables like $_SERVER['HTTP_REFERER'] to make sure it's coming from the exact page you're wanting it to.

[Hailwood]

@Shadiadiph

We were looking at something like that, just wondering if there was an easier way, thanks

 

@5kyy8lu3:

The HTTP_REFERER can be spoofed so it is unreliable

[codebyren]

I'm not sure I understand the problem 100%

 

You're saying you have a page (example.php) which contains a form that is submitted via ajax - and you want to make sure that the form is only ever submitted from example.php on your server?

 

When you show the form, add a hidden field with a random token in it that is also stored in the user's session.  Then in the code handling the ajax post, compare the token posted with the form to the token stored in the user's session.  If they're not the same or one is missing etc. then you know that the post was not made from your page.

 

Sorry if I misunderstood...