Page 1 of 1

Securing a conference booking system

Posted: Fri Nov 06, 2009 11:38 am
by andym01480
I'm coding a conference booking system for a group of churches

Step1 Which church are you from - session initialised. Unique booking_id created and session id regenerated
Step 2 Add delegates - unique ticket_id
Step3 Finalise booking, address details and payment

All steps are initiated from booking.php. At each step a summary so far is shown. I've succesfully ensured that the steps have to be done in order and protected against resubmissions and back button issues.

I want to allow people to edit or cancel individual tickets during step 2. booking_id is in the $_SESSION and editticket.php?id=1 would allow editing of ticket_id 1

I checking the booking_id is in that ticket_id record in the ticket database table before allowing editing. I don't think that is enough security though.

Here's the plan

Code: Select all

$_SESSION['token']="salt".$booking_id
at the top of booking.php and then if I check for it in editticket.php

Is it enough? Or do I need to do more to protect against people just trying to edit other people's tickets!

Re: Securing a conference booking system

Posted: Sat Nov 07, 2009 5:20 am
by kaisellgren
In order to edit tickets, the person would need to be logged in as the user who has the rights to alter the details. In addition to that, CSRF anti-tokens need to be placed on your forms. That's the way you should do it.