Okay, an explanation (sorry for the delay)

I use Perl to generate my forms. (by default, they generate empty forms, but when I see an input error, I generate the partially completed form, marking the inputs that were in error.)

Therefore, inserting a timestamp is easy -- you just generate it and slip it in a hidden form input (I guess you could use cookies, too). It's possible that you could have it generated with javascript, but if it's client side, and their clock is off, you'll run into problems. You could use 'AJAX' or whatever they want to call to make a call back to your system for the time, but If they don't have javascript they'll still have problems.

For the timestamps, I hadn't thought about the issue of them submitting too quickly -- I was looking at them submitting too slowly (eg, hours/days apart, which is typical for some web spiders if you have a large site), or someone who crawls the site once for forms, then comes back later to run a job against it.

...

As for the one time keys -- you generate a random number (or not random, but something unique), and you keep track of what keys have been issued. When the form is submitted, you remove it from the list you're tracking. If a form comes in with a key that you're not tracking, you reject them.

This requires a little more overhead (the types of forms that I'm protecting like this typically use a database, so I just maintain a table with the keys issued; when a key gets issued or checked , I do some garbage collection and delete keys that are too old (eg, delete from keys where issuetime < sysdate-1)

This doesn't work well for the situations where it'd be normal for the person to hit back, change a value, and then submit again. (eg, search engines) You probably wouldn't be trying this sort of protection against such sites, but you could set the appropriate caching headers to try to force them to refesh when they go back.

In reply to Re^4: newb: Best way to protect CGI from non-form invocation? by jhourcle
in thread newb: Best way to protect CGI from non-form invocation? by JCHallgren

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.