Stop Spoofed Form Submissions

Question

I have a question about stopping spoofed form submissions. How about if by using the $_SERVER[\'HTTP_REFERER\'] I only allow submissions to my forms coming from

Answer 1

Spoofing HTTP headers is pretty easy and so shouldn't be used for something that requires rigorous security. One technique typically used is to send both an encrypted cookie and a matching, encrypted token in a hidden input on the form. The cookie should be an HTTP-only cookie. On form submission check that the value from the cookie and the value from the hidden input match. This will help prevent cross-site request forgeries since a request to your site can't be successfully made from another site because they'll either be missing the cookie (for a MIM attack) or the hidden input (spoofed form). Of course, this depends on you making sure your site is otherwise secure so they can't sniff the tokens to find out what to supply.

Here's a nice discussion on how this is done in ASP.NET MVC, http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/