Page 1 of 1

CRSF...

Posted: Sun Dec 13, 2009 4:58 am
by WhizzBang
Hi, I'm a bit of a noob, but I need some help...

I have this in my script, to add a "token" to my forms...

Code: Select all

$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
I have this in my form...

Code: Select all

<input type = "hidden" name = "formID" value = "'.$token.'">
And now this to check the session...

Code: Select all

if($_POST['formID'] != $_SESSION['token'])
{
       unset($_SESSION['token']);
    exit('You are attempting to exploit the site, your IP address has been logged.'');
    
}
THe problem I'm having is, the $_POST['formID'] and $_session['token'] are never the same, I'm sure its just me being a noob, but i could really use some help here.

Regards

Re: CRSF...

Posted: Sun Dec 13, 2009 6:20 am
by kaisellgren
Are you regenerating the token before comparing the two values?