Restricting POST access from external forms?

[ra...@madhaus.utcs.utoronto.ca]

Is there any way to restrict a POST method request if the originating
form is not local?  As far as I can tell, there isn't, but I could
have missed something.  Checking HTTP_REFERER in a CGI script will do the
trick, but it would be nice to add a configuration directive for this.

-Rasmus

Re: Restricting POST access from external forms?

[ra...@madhaus.utcs.utoronto.ca]

> Is there any way to restrict a POST method request if the originating
> form is not local?  As far as I can tell, there isn't, but I could
> have missed something.  Checking HTTP_REFERER in a CGI script will do the
> trick, but it would be nice to add a configuration directive for this.

Ugh!  Yes, I am replying to my own stupid question.  Too much coding, not
enough sleep.

This obviously can't be done by the server.  Some sort of cookie mechanism,
or an intelligent one-time password scheme passed from page to page might
do the trick.  The question being, "How do you stop someone from sending
fake POST data to a CGI?"  It would be nice if one could trust hidden
form fields to not have been tampered with by the client.  Best way is
probably the one-time password/checksum idea.  Regardless, it's not an
Apache issue.

-Rasmus