POST request security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
markthien
Forum Commoner
Posts: 33
Joined: Fri Feb 13, 2009 7:50 pm

POST request security

Post by markthien »

Hi guys,

My login.php is like below:

Code: Select all

<?php

	header("Content-Type: text/html; charset=utf-8");
	require_once('bin/verify-user-logon.php');
	
	// set the session token
	$_SESSION['sess_token'] = uniqid(md5(microtime()), true);	

?>


				<form id="login_form" action="process-login.php" method="post">
					<input type="hidden" name="token" value="<?php echo $_SESSION['sess_token'] ?>"/>				
					<table class="login">
						<tr>
							<td>
								Email
							</td>
							<td>
								<input type="text" name="email" id="email" class="textbox"/>
							</td>						
						</tr>
						<tr>
							<td>
								Password
							</td>
							<td>
								<input type="password" name="password" id="password" class="textbox"/>
							</td>						
						</tr>
						<tr>
							<td>
							</td>
							<td>
								<input type="submit" id="login" name="login" value="Login" style=""/>
							</td>						
						</tr>	
					</table>
				</form>
process-login.php

Code: Select all

<?php
	
header('Content-type: text/html; charset=UTF-8');
header('Cache-Control: no-cache');

$post_token = isset($_POST['token'])?trim($_POST['token']):null;
$session_token = isset($_SESSION['sess_token'])?trim($_SESSION['sess_token']):null;

		if(empty($post_token)) {
			$error_log_content = "Post token is null or empty" ;	
		} else if(empty($session_token)) {
			$error_log_content = "Session token is null or empty" ;	
		} else if(strcasecmp($post_token, $session_token) != 0) {
			$error_log_content = "Session token and post token is not the same";	
		} else {
			// continue login
                         ......................
		}

?>
Appreciate any advice please. Thanks in advance!

Cheers,
Mark Thien
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: POST request security

Post by social_experiment »

What is the use of the token in the code?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
markthien
Forum Commoner
Posts: 33
Joined: Fri Feb 13, 2009 7:50 pm

Re: POST request security

Post by markthien »

to identify that the request is from the actual user who visit the page. I am not so sure if this is needed. Please kindly advice. thanks !
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: POST request security

Post by social_experiment »

Ok, i have 2 points here. Firstly, you could write the token value to the database and to the test against that instead of using the token value inside the form as a hidden value (which is very much visible when viewing the source code). Secondly you can turn the checking sequence into a 'if-else' loop.

Code: Select all

<?php
 // your headers
 
 // define variables
 $post_token = isset($_POST['token']) ? trim($_POST['token']) : null;
 $session_token = isset($_SESSION['sess_token']) ? trim($_SESSION['sess_token']) : null;
 
 // start checking
 if (strcasecmp($post_token, $session_token != 0) || empty($post_token) || 
empty($session_token)) {
 // request is invalid, inform user , log the incident, etc.
 }
 else {
  // continue login
 }
?>
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
markthien
Forum Commoner
Posts: 33
Joined: Fri Feb 13, 2009 7:50 pm

Re: POST request security

Post by markthien »

Saving and retrieving from db is taking too much resources and time. Imagine u have 1 million visitor in a minute. I just wanna know if verifying token is neccessary and it add extra security
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: POST request security

Post by social_experiment »

I don't think it adds security, and if you are worried about resources, removing those token checks will save even more of those.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
getmizanur
Forum Commoner
Posts: 71
Joined: Sun Sep 06, 2009 12:28 pm

Re: POST request security

Post by getmizanur »

correct me if i'm wrong however only reason you want to post a token is to avoid session hijacking.

there are couple of options you can use:
ip based validation: use md5 hash of user's ip address and place it in your session and subsequent request are permitted when ip hash matches the one stored in the session. saying that, there is no grantee that the users ip address is going to be static, specially if they are behind proxy server farm.

browser signature validation: browser signature based on the header that the browser sends with every request. this is a better option as generally browser header remains constant for the same user.

code may look like this

Code: Select all

$key = array ('HTTP_USER_AGENT', 'SERVER_PROTOCOL', 'HTTP_ACCEPT_CHARSET', 'HTTP_ACCEPT_ENCODING', 'HTTP_ACCEPT_LANGUAGE');
$tmp = "";
foreach($key as $v) {
 if(isset($_SERVER[$v])) $tmp .= $_SERVER[$v];
}
$token = md5($tmp);
referrer validation: this technique checks that the source page shown in HTTP_REFERER is a legitimate 'forwarding' page.

i hope this rambling helps.
Post Reply