Last week I received some spam mails through my formmail.php from someone who hit the script directly by spoofing the referrer. So I added some extra security stuff that (I hope) will prevent this in the future.

Maybe someone else can use this too, so I thought it might be a good idea to post them here.

First I'm using session cookies to prevent direct hits on my form pages. If someone accesses the form pages without visiting the main page first he is redirected to a security page telling him to access the main page first and use the menu to access the form page.

The php code on the main page that starts the session is:
<?php
session_start();
$_SESSION['valid'] = "goahead";
?>

The code on the form pages that takes care of validating the session is:

<?php
session_start();
if ($_SESSION['valid'] != "goahead") {
header("Location: security.html");
exit();
}
?>

As the cookie is already set if a visitor is able to access the form pages I added the session validating code to the formmail.php script too (finally got that working :lol: ), so the script cannot be accessed if the cookie doesn't exist. Anyone trying is redirected to another errorpage:

<?PHP
session_start();
if ($_SESSION['valid'] != "goahead") {
header("Location: error.html");
exit();
}
?>

Second I added a .htaccess file to the folder holding the formmail.php scirpt specifying the exact referrers that are allowed to access the formmail script. I'm using mod_setenvif and mod_access for this:

SetEnvIfNoCase Referer "http://www.mydomain.com/contactform1.html" goodrefer
SetEnvIfNoCase Referer "http://www.mydomain.com/contactform2.html" goodrefer
SetEnvIfNoCase Referer "http://www.mydomain.com/contactform3.html" goodrefer
SetEnvIfNoCase Referer "http://www.mydomain.com/contactform4.html" goodrefer

Order Deny,Allow
Deny from all
Allow from env=goodrefer

I hope this can be usefull to someone. Any comments are welcome.

Aiko Timmer