Additional form security using Session.SessionID

I've been having problems recently with attempted spamming exploits on my form to email scripts (i.e. users downloading forms, messing with them and then submitting them remotely to my form handling scripts) and thought I'd see if comparing the sessionID of the sending pages and form handling pages could help to weed out these dodgy submissions.

Nick Dunn suggested that it would be even more secure if the I used a hashed version of the SessionID.

First I included the MD5 function in both the sending and form handling pages as it isn't included with ASP.

<!--#include file="md5.asp"-->

Then I defined a variable for the hashed SessionID:

Dim strHashedSessionID
strHashedSessionID = MD5(Session.SessionID)

Next I added the hashed SessionID to the querystring of the form handling page:

<form method="post" action="formhandler.asp?sender=<%= strHashedSessionID %>">

On the form handling page, I added a server-side error message, generated only if the two values don't match:

If Not Request.QueryString("sender") = strHashedSessionID Then
Response.Write "Authentication error: Please re-sumbit the form"
End If

Finally, if the two values do match, the email is sent:

If Request.QueryString("sender") = strHashedSessionID Then
' send the email using CDOSYS
End If

After adding some additional server-side form validation, I added the additional security scripting to my contact form.

Comments

  • #1
  • Posted by: Mark Voss
  • On: 16/10/2007 10:59:04

For a more basic option, you could simply pass Session.SessionID as a hidden field in the form and then check on the handling page that: Request.Form("session") = CStr(Session.SessionID)

Leave a comment

Please complete the form below to submit a comment on this article. A valid email address is required to submit a comment though it will not be displayed on the site.