Form security using SESSION.SESSIONID

I’ve been having problems recently with attempted spamming exploits on my form to email scripts (i.e. users downloading forms, messing with them and then submitting them remotely to my form handling scripts) and thought I’d see if comparing the sessionID of the sending pages and form handling pages could help to weed out these fake submissions.

I also thought it would be even more secure if the I used a hashed version of the SessionID.

First I included the MD5 function in both the sending and form handling pages as it isn’t included with ASP

<!--#include file="md5.asp"-->

Then I defined a variable for the hashed SessionID

Dim strHashedSessionID
strHashedSessionID = MD5(Session.SessionID)

Next I added the hashed SessionID to the querystring of the form handling page

<form method="post" action="formhandler.asp?sender=">

On the form handling page, I added a server-side error message, generated only if the two values don’t match

If Not Request.QueryString("sender") = strHashedSessionID Then
 Response.Write "Authentication error: Please re-sumbit the form"
End If

Finally, if the two values do match, the email is sent

If Request.QueryString("sender") = strHashedSessionID Then
 'send the email using CDOSYS
End If

After adding some additional server-side form validation, I added the additional security scripting to my contact form.