Page 1 of 1

Changing value of a session variable when submitting a form

Posted: Sun May 25, 2003 12:44 pm
by Wentu
Hi all

I built an application where a single php file displays different pages. In every page there are some forms, some submit buttons and in every form there is an hidden variable called "state". Every action redirects to the same file.
Every page is visualized with a function so that the main body of the application is something like :

if state has not been set yet, visualize page 0
if state == 0 visualize page 0
if state == 1 visualize page 1
and so on.

Now, i'd like to do that with session variables and i'd like to completely avoid the use of hidden variables. ( BTW, is it true that hidden variables could be easily exploited to create security flows ? ).

Is it possible to change the value of a Session variable when submitting the form. Please, without using OnSubmit or other Javascript.

I'd appreciate , if not a complete answer, at least some redirection to a good and exaustive tutorial: i couldnt find any that explain this apparently simple topic.

Thankx !

Wentu

Posted: Sun May 25, 2003 1:57 pm
by Jade
I've worked with sessions for a while. If you wanted to change the value of the session from the form you just have to change the value thats in the session using session_register or even just setting it to a different value. Try the session part of the php manual:

http://www.php.net/manual/sl/function.s ... gister.php

Posted: Sun May 25, 2003 4:38 pm
by Wentu
Yes but, ahem.. i mean... I know i have to change the value of the session variable but the problem is how to link this changing to the submission of the form without using unsecure means like a hidden variable.

maybe i can't explain exactly what i mean

someone else could understood my obscure mind ? :cry:

thankx !

Wentu

Posted: Sun May 25, 2003 6:05 pm
by nielsene
The value for the session variables is set on the server side. You can not have a client side action change the session variable.

Yes, hidden form variables are potentially exploitable, but no more or less secure than any other form variable.

I routinely use both session variables and post'ed form variables. The session variables track things that are not "new" -- things that I already know and will need again. The post'ed (or get'ed) variables provide the new input from the user. As with any user input you need to cleanse it.

In order to "hack" hidden forms the user has to
1) save a "View Source" page
2) modify the saved source so that the their "hacked" hidden values is included as the hidden form variable, also changing the form action="" to make sure it includes the full URL back to your site
3) View the modified saved source file on their computer
4) fill out the form and submit (the submit will go back to your code)

To protect against this:
Easy option (somewhat easy to hack around, though) double check the HTTP_REFERER, if its not you, then its someone hacking the form.

Better option, but harder, possibly overkill for many people
Crptographically sign the hidden values ie pair up every hidden variable something like
<input type="hidden" name="hiddenVar1" value="stuff">
<input type="hidden" name="hiddenVar1MAC" value="MAC of stuff">

MAC of stuff is calculated in your script as MD5("stuff".$SERVER_SECRET_PHRASE);

Pick a pass phrase (same rules as a password, often longer), store it as
$SERVER_SECRET_PHRASE and stick it where every you store your
DB connections constants (hopefully out of the web-tree)

When you process the form you recompute "MAC of stuff" and test if it matches. If it doesn't you have detected a hack attempt.

Code: Select all

if (MD5($_POST["hiddenVar1"].$SERVER_SECRET_PHRASE)!=$_POST["hiddenVar1MAC)
{ // bad guy active ... do something
}
else
{ // safe to use the received hidden value
}

Posted: Mon May 26, 2003 2:25 am
by Wentu
Thank you so much Nielsene
This is what i was looking for :wink:

Just for the sake of curiosity: would it be even safer if $SERVER_SECRET_PHRASE were variable ? Something like the present date . I guess there would be problems only around midnight maybe...

thankx again

Wentu

Posted: Mon May 26, 2003 11:02 am
by nielsene
Wentu wrote: Just for the sake of curiosity: would it be even safer if $SERVER_SECRET_PHRASE were variable ? Something like the present date . I guess there would be problems only around midnight maybe...
Well it depends on your site. Do you think people are likely to attack your site for some specific purpose? If your "just" trying to protect against "attacks of opportunity" (such as a cracker just trying to own another box, but doesn't care which box) then merely making it tougher than most other sites is enough as there will be easier targets out there.

If you are worried about targetted attacks against your site where the attacker has an ax to grind or a reason for choosing your site then, yes you may want to rotate the secret phrase. However using the current data is NOT good. The attacker must not be able to predict or guess the phrase. And yes, anytime you change the phrase you invalidate any currently viewed pages. Often when changing pass phrases it is good to have a "This site down for maintenence" type message for maybe 5 minutes to avoid this.