Is there any way (in Java Servlet) to determine whether a HTTP POST or GET request is a result from a submission from a HTML form or otherwise?
views:
676answers:
7I think it is impossible unless the client itself is co-operating (means the client set some header)
Not really. You could check the user agent string but that can be set by the caller.
Well, you could look at the agent string and see if it was from a browsr, or from your client app (assuming it has its own agent string)
You could possibly do it with a hidden form field + a cookie.
What you could do is set up a nonce, and have that as the hidden field of the form. You would then apply that to a cookie that is sent along with the form. The cookie should be linked to the hidden field, and should also contain some kind of nonce. Finally, when the form is submitted, you can check the cookie and hidden field, and see if they are correct. If you want, link it up to the IP address and user agent of the original request for the form. You could even spice all this up with some Javascript. Make the hidden field blank to start with, but then some ajax to request the hidden field nonce from the server.
This won't be perfect, but that should get you 80%-90% of the way there. Someone with decent HTTP skills could still spoof it though.
It raises the question however, why do you want to differentiate the request at that level?
Or are you really just trying to figure out whether or not the user hit the "submit" button? (If that is the case, then the name/value pair of the submit button should be in the request entity/query string... depending on the form method.)
If you have control over the client, then you could attach a custom header to identify the sender.
Some javascript libraries already do this when making XmlHTTPRequests, so that you can handle Ajax calls different to standard requests.
Examine the headers of each incoming request to see if there is anything you could use.
You are not clear whether you want to dinstinguish between legitimate diffent access methods, or against forged attacs (ie. robots or hackers that attempts to look like they are ordinary users).
In the first case keprao have some fine advice for inspecting the headers. In the second case there is basically no way to distinguish between the requests, though robots can be hindered by captchas or authentication.