I wouldn't recommend the HTTP_REFERER at all because it's easily forged.

The sesssion (cookie) based technique, although better, has problems too as all a user needs to do is get the cookie from your form submit page, then generate their own form submission and send the cookie along with the request.

Another option that you may not have thought of is to log the user's IP (on disk or in memory) when they visit the form submit page. Then check for that when you process the form request. Like the cookie solution, it doesn't prove that the form was submitted from your server (the user could make a request, then generate their own form submittal).

Also, it could cause problems for people who have an IP that changes on each request (I believe AOL users do this)

I suspect there may well be an alternative solution to your problem. Can you please explain exactly what you are trying to acheive and maybe a bit of lateral thinking can provide a solution.

Thanks for replying mrMister.

I have multiple static html pages where users have to submit a date that is in a certain range, which is then posted to an asp.net page for processing. The maximum and minimum dates are in hidden fields on those static pages.

My problem is that someone could potentially create their own form with their own date ranges outside those of the ones that are desired and then submit it to the processing page.

I cannot use the request.referrer method because some firewalls hide this and I am reluctant to convert the static pages to aspx pages because they have very high traffic volumes, although I realise that I may have to. How can i confirm that a post to the aspx page came from one of the static pages containing the date ranges?

I have multiple static html pages where users have to submit a date that is in a certain range, which is then posted to an asp.net page for processing. The maximum and minimum dates are in hidden fields on those static pages.

Is it possible for you to put the minimum/maximum date information in the ASPX page and validate it there?

not really because each static page has different max and min dates, but they are all submitting to the same aspx page.

I thought maybe I could append a guid to the header of each page, then put it in a short term cache - say 2 minutes, so it changes frequently and check for it's existence on the aspx page. I know this could by faked, but at least it will make it a little more secure.

Any other ideas?

nope, realised my idea is flawed actually. anything else?

You could have as part of your static submit page a field containing a code for that submit page. Then in your asp processing page you use this code to do a lookup which gets the valid date range for that page (database table perhaps?), and validates the dates submitted against that. Validation is really the only thing you can do to protect against this.

Yes they can still post the hidden code themselves, but since both the code and the date range have to be valid, it would have the same effect if they used the real submit.

To make it really tidy you might even want to change your static pages to dynamic ones so that they retrieve the date range from the same table, then if you need to change the dates you only have one place to change.

This problem is becoming annoying. I've tried a few solutions now, but each one has problems of it's own.

I don't want to use a database on the static pages because some will appear on affiliate sites although validating the date ranges from the db on the aspx page seems like the only solution at the moment. I'm really not looking forward to entering all that data though.

Preferably all i want to do is check where the form has been posted from.

By checking the referer?
Sometimes this won't be populated though, so not a 100% reliable.

Or do you allready have an identifier (e.g. affiliate id) being posted?