Page 1 of 1

Expireing pages

Posted: Mon Jul 26, 2004 3:07 pm
by Calimero
Not sure where this goes, but lets try from here:


I have random number generator (avatar I think its called)
it prints a number on a page, and you have to type in the textfield in order to submit the form.

This is my problem. I think that this system can be easily tricked by BACK button and inputing the value again (textfiled type is password, but the page is loaded with the same random number)

Is there any way to prevent this type of abuse (somehow for page to expire, or maybe IP filtering (just came on my mind))

Any ways any suggestions would come in handy.

Thanks Ahead !

Posted: Mon Jul 26, 2004 4:02 pm
by feyd
create an image with the random text embedded inside.

...

Posted: Mon Jul 26, 2004 4:05 pm
by Calimero
just one question, HOW?

do you mean php to create an image on-the-fly nad then insert random string that also generates on the fly ?

But isn't that way also vunerable, if I click BACK button in the browser and just copy paste the code inside the textfield.

Posted: Mon Jul 26, 2004 4:12 pm
by feyd
each query to that "image" would generate a new random string... the text data itself isn't passed to the browser, like you implied your code works now. In that, it's far less vulnerable.

read into the image functions on php.net: http://php.net/image

we've got several discussions laying around in the forums talking about it.. although few, if any, with complete code.

Posted: Mon Jul 26, 2004 4:14 pm
by jtc970
you could save the code to a db then verify it against that, once it's used remove it from the db

...

Posted: Mon Jul 26, 2004 4:38 pm
by Calimero
Still searching .....

If you know which topic is it, please...

Or if you have the code, ...


Thanks Ahead !

Posted: Mon Jul 26, 2004 7:36 pm
by John Cartwright
it is all explained @ http://php.net/image which feyd already suggested

Posted: Tue Jul 27, 2004 9:53 am
by AGISB
If you want to see an example of something like this try:

http://www.register.com

type in an existing domain name and then click on view whois info