CRSF...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
WhizzBang
Forum Newbie
Posts: 11
Joined: Sat Jul 11, 2009 5:39 pm

CRSF...

Post by WhizzBang »

Hi, I'm a bit of a noob, but I need some help...

I have this in my script, to add a "token" to my forms...

Code: Select all

$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
I have this in my form...

Code: Select all

<input type = "hidden" name = "formID" value = "'.$token.'">
And now this to check the session...

Code: Select all

if($_POST['formID'] != $_SESSION['token'])
{
       unset($_SESSION['token']);
    exit('You are attempting to exploit the site, your IP address has been logged.'');
    
}
THe problem I'm having is, the $_POST['formID'] and $_session['token'] are never the same, I'm sure its just me being a noob, but i could really use some help here.

Regards
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: CRSF...

Post by kaisellgren »

Are you regenerating the token before comparing the two values?
Post Reply