Securing a conference booking system

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

Securing a conference booking system

Post by andym01480 »

I'm coding a conference booking system for a group of churches

Step1 Which church are you from - session initialised. Unique booking_id created and session id regenerated
Step 2 Add delegates - unique ticket_id
Step3 Finalise booking, address details and payment

All steps are initiated from booking.php. At each step a summary so far is shown. I've succesfully ensured that the steps have to be done in order and protected against resubmissions and back button issues.

I want to allow people to edit or cancel individual tickets during step 2. booking_id is in the $_SESSION and editticket.php?id=1 would allow editing of ticket_id 1

I checking the booking_id is in that ticket_id record in the ticket database table before allowing editing. I don't think that is enough security though.

Here's the plan

Code: Select all

$_SESSION['token']="salt".$booking_id
at the top of booking.php and then if I check for it in editticket.php

Is it enough? Or do I need to do more to protect against people just trying to edit other people's tickets!
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Securing a conference booking system

Post by kaisellgren »

In order to edit tickets, the person would need to be logged in as the user who has the rights to alter the details. In addition to that, CSRF anti-tokens need to be placed on your forms. That's the way you should do it.
Post Reply