问题
I am litte confused, i want to protect one page in classic asp from being accessed by Get Method. Is it possible that someone can post data from another server to my page?
If Yes, how to detect that and allow only post from my server.
Thanks for help.
回答1:
If you are currently using Request("ParameterName") to retrieve parameters then you should change to Request.Form("ParameterName") which will only get the parameter if it was POSTed.
Alternatively you can lookup the method used to access the page from the Request.ServerVariables collection and end the script if it is not POST. Here's an example:
If Request.ServerVariables("REQUEST_METHOD") <> "POST" Then Response.End
I noticed that you also said that you want to accept posts only from your server. The above changes will still allow another webpage to be set up to POST to your page. If you want to ensure that only your web page can post then you will need to add some more protection. Here's one way of doing it.
1) When you render your form create a random numbers and create a session variable named by the random number with a value to check for later.
Randomize
strVarName = Int((999999 - 100000 + 1) * Rnd() + 100000)
Session(strVarName) = "Authorised"
2) In your form add a hidden field with the value of the random number.
<input type="hidden" name="varname" value="<%= strVarName %>" />
3) In the script that processes the posted form get the value of the hidden field.
strVarName = Request.Form("varname")
4) Check that the session variable is set and has a value of True.
If Session(strVarName) <> "Authorised" Then
'Failed! Either show the user an error message or stop processing
Response.End
End If
5) Remove the session variable so that the same form cannot be resubmitted.
Session.Items.Remove(strVarName)
You don't need the random number but using it means that the same user can have multiple forms open in different windows/tabs and each one will work.
来源:https://stackoverflow.com/questions/13344797/classic-asp-http-post-from-another-server