Is it advisable to...

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Is it advisable to...

Post by seodevhead »

I have numerous forms on my applications that need some sort of "multiple submit" prevention. I have read the easiest way of doing this is by using sessions. However, none of my scripts use sessions. Is it advisable to use sessions to prevent multiple form submissions in this case??? eventhough I don't use them for any other reason?

Honestly, I have heard some scary stuff about using sessions and I am a bit concerned about using them for this reason (because of various XSS type hacks) as I am new to sessions completely (not cookies though). Any ideas or advice is greatly appreciated! Thanks!
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

Not fret about using sessions they can be your best friend if used right and are about 1,000,000 times safer than cookies. What are you worried about? Flood control or quality control?
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Post by seodevhead »

Not sure what "flood control" is... but what I am most concerned about it XSS or any other type of hack attempt. I have been warned before not to use sessions unless I understand them thoroughly as they are very risky for beginning programmers who are learning the basics. I know what I have read in books that I have on php, in the chapters that cover cookies/sessions, however I understand that these books are devoid of "important" information regarding malicious user/hacker prevention and usually the examples are easily exploited. Since I want to go live... I want to make sure I cover my bases as best I can. :)
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

Flood control is preventing a form from being submitted x amount of times in a given period. As for preventing XSS or any other 'hack attempt' validating your data is your best defence. I'm serious about the session comment; they really aren't as risky as your saying... :?
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Post by seodevhead »

Thanks for the help hawley. I want to do my best as far as flood control is concerned... and the easiest route seems to be by using sessions. I would also like to start implementing and leanring more about sessions anyway, so this is a good time to start. I have been doing some reading up on various session security techniques that help prevent maliciousness. Maybe you can shed some light on this.

I have read that using session_regenerate_id() is recommended whenever there is quote:

"a change in the level of privilege"

I am a little confused as to what this means. What would be the privilege they are referring too?

Also... I have been reading about "authentication tokens"... is this a highly recommended practice... or is this something that can be regarded as "optional extra steps to safety" by the php community? Thanks a ton for your help and advice!
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

I've seen session_regenerate_id used but I rarely use it. Typically your biggest threat with sessions is session hijacking. This can happen a couple ways. The easiest to explain is when you create a session and the browser (Usually a cookie issue) displays the SESSIONID=sdfasfasdfs8d90s8df in the URL and the user passes that URL to someone else. (Hence Session Hijacking) To defeat this I validate that the IP address and browser are the exact same as the IP and browser when the session was started. However, this isn't 100% good all the time. Peoples IP addresses can change during a session. However, the research I did was that this doesn't happen often and when it does I was willing to make the sacrifice for the few people this may happen to. (Hasn't happened yet :) )
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Post by seodevhead »

Wow hawley.. thanks so much for your help. I have been reading as much as I can find on session security and the more I read the more scared I get. But I wasn't sure what was a "must-do" and what could be considered overkill or optional. These security nuts tell developers to do everything under the sun because they live in a fierce world... so it has been hard for me to determine things on my own. Thank you.

And lastly... what are your thoughts on preventing form spoofing (correct term?)... where someone will create the same form and place that php script on their own server and have it send data to the form results page. I would think that if you filter all your data thoroughly, that it wouldn't be necessary to test the integrity of the location the form is coming from... correct? Is this merely another "optional" (I hate saying optional because it is subjective to how security-conscious you are) measure to take... or is this a must-do kinda thing?
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

Sessions are really your only option to prevent that; however, if a user creates a session on you page and then opens their own form with the action going to your form process they're in. If you are really concerned install a CAPTCHA image to make sure the user is on your form.


You will never be able to be 100% sure a user is at your form however, if you have the propper validation when you process the form then who cares?
Post Reply