Changing value of a session variable when submitting a form

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Wentu
Forum Newbie
Posts: 11
Joined: Sun Feb 02, 2003 1:09 pm

Changing value of a session variable when submitting a form

Post by Wentu »

Hi all

I built an application where a single php file displays different pages. In every page there are some forms, some submit buttons and in every form there is an hidden variable called "state". Every action redirects to the same file.
Every page is visualized with a function so that the main body of the application is something like :

if state has not been set yet, visualize page 0
if state == 0 visualize page 0
if state == 1 visualize page 1
and so on.

Now, i'd like to do that with session variables and i'd like to completely avoid the use of hidden variables. ( BTW, is it true that hidden variables could be easily exploited to create security flows ? ).

Is it possible to change the value of a Session variable when submitting the form. Please, without using OnSubmit or other Javascript.

I'd appreciate , if not a complete answer, at least some redirection to a good and exaustive tutorial: i couldnt find any that explain this apparently simple topic.

Thankx !

Wentu
User avatar
Jade
Forum Regular
Posts: 908
Joined: Sun Dec 29, 2002 5:40 pm
Location: VA

Post by Jade »

I've worked with sessions for a while. If you wanted to change the value of the session from the form you just have to change the value thats in the session using session_register or even just setting it to a different value. Try the session part of the php manual:

http://www.php.net/manual/sl/function.s ... gister.php
Wentu
Forum Newbie
Posts: 11
Joined: Sun Feb 02, 2003 1:09 pm

Post by Wentu »

Yes but, ahem.. i mean... I know i have to change the value of the session variable but the problem is how to link this changing to the submission of the form without using unsecure means like a hidden variable.

maybe i can't explain exactly what i mean

someone else could understood my obscure mind ? :cry:

thankx !

Wentu
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

The value for the session variables is set on the server side. You can not have a client side action change the session variable.

Yes, hidden form variables are potentially exploitable, but no more or less secure than any other form variable.

I routinely use both session variables and post'ed form variables. The session variables track things that are not "new" -- things that I already know and will need again. The post'ed (or get'ed) variables provide the new input from the user. As with any user input you need to cleanse it.

In order to "hack" hidden forms the user has to
1) save a "View Source" page
2) modify the saved source so that the their "hacked" hidden values is included as the hidden form variable, also changing the form action="" to make sure it includes the full URL back to your site
3) View the modified saved source file on their computer
4) fill out the form and submit (the submit will go back to your code)

To protect against this:
Easy option (somewhat easy to hack around, though) double check the HTTP_REFERER, if its not you, then its someone hacking the form.

Better option, but harder, possibly overkill for many people
Crptographically sign the hidden values ie pair up every hidden variable something like
<input type="hidden" name="hiddenVar1" value="stuff">
<input type="hidden" name="hiddenVar1MAC" value="MAC of stuff">

MAC of stuff is calculated in your script as MD5("stuff".$SERVER_SECRET_PHRASE);

Pick a pass phrase (same rules as a password, often longer), store it as
$SERVER_SECRET_PHRASE and stick it where every you store your
DB connections constants (hopefully out of the web-tree)

When you process the form you recompute "MAC of stuff" and test if it matches. If it doesn't you have detected a hack attempt.

Code: Select all

if (MD5($_POST["hiddenVar1"].$SERVER_SECRET_PHRASE)!=$_POST["hiddenVar1MAC)
{ // bad guy active ... do something
}
else
{ // safe to use the received hidden value
}
Wentu
Forum Newbie
Posts: 11
Joined: Sun Feb 02, 2003 1:09 pm

Post by Wentu »

Thank you so much Nielsene
This is what i was looking for :wink:

Just for the sake of curiosity: would it be even safer if $SERVER_SECRET_PHRASE were variable ? Something like the present date . I guess there would be problems only around midnight maybe...

thankx again

Wentu
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Wentu wrote: Just for the sake of curiosity: would it be even safer if $SERVER_SECRET_PHRASE were variable ? Something like the present date . I guess there would be problems only around midnight maybe...
Well it depends on your site. Do you think people are likely to attack your site for some specific purpose? If your "just" trying to protect against "attacks of opportunity" (such as a cracker just trying to own another box, but doesn't care which box) then merely making it tougher than most other sites is enough as there will be easier targets out there.

If you are worried about targetted attacks against your site where the attacker has an ax to grind or a reason for choosing your site then, yes you may want to rotate the secret phrase. However using the current data is NOT good. The attacker must not be able to predict or guess the phrase. And yes, anytime you change the phrase you invalidate any currently viewed pages. Often when changing pass phrases it is good to have a "This site down for maintenence" type message for maybe 5 minutes to avoid this.
Post Reply