help me brainstorm algorthim for to dissallow posting to form

[dsaba]

Hi, I've been thinking a while about this. I have a bunch of experience with posting remotely to forms. I need a way to secure my form on my website from being POSTED too from anywhere other than my own website. Something that cannot be bypassed. There are so many fail attempts/ideas that can be bypassed. Too many to list...

 

So, this is an open thread, if you have an idea describe the method/algorithim. I'll or others will decide if its truly full proof in disallowing anyone from POSTING to from anywhere else other than your form. Anything goes except, HTTPS protocol. Keep in mind I said to disallow people from posting from somewhere else other than your site, and I didn't say to disallow automation. Automation is another thing entirely.

 

It can be a method involving regex, sessions, captchas..whatever..

of course something to do with PHP or JS is preferred...

So anyone up to the challenge?

Let's see if it can be done.

 

keep in mind that:

1. headers can be easily be manipulated

2. cookies can be injected (although values of cookies might not be able to be changed)

[rajivgonsalves]

just an idea.

 

1 page

1) generate a md5

2) store that in a hidden field on the page and in the session

 

2 page

compare the two (hidden field and session)

 

[dsaba]

just an idea.

 

1 page

1) generate a md5

2) store that in a hidden field on the page and in the session

 

2 page

compare the two (hidden field and session)

 

1.your idea centers around checking for a session cookie

this can be injected into the header once obtained

2. the html source of the form is not hidden, and your hidden value in the form can be viewed

 

No offense, and thanks for adding your input, this is the point of the thread, there will be many not full proof ideas, but thats the point to finally get one that works... I'm interested in any more ideas.

 

Next..