Page 1 of 1

POST request security

Posted: Tue Apr 26, 2011 9:29 pm
by markthien
Hi guys,

My login.php is like below:

Code: Select all

<?php

	header("Content-Type: text/html; charset=utf-8");
	require_once('bin/verify-user-logon.php');
	
	// set the session token
	$_SESSION['sess_token'] = uniqid(md5(microtime()), true);	

?>


				<form id="login_form" action="process-login.php" method="post">
					<input type="hidden" name="token" value="<?php echo $_SESSION['sess_token'] ?>"/>				
					<table class="login">
						<tr>
							<td>
								Email
							</td>
							<td>
								<input type="text" name="email" id="email" class="textbox"/>
							</td>						
						</tr>
						<tr>
							<td>
								Password
							</td>
							<td>
								<input type="password" name="password" id="password" class="textbox"/>
							</td>						
						</tr>
						<tr>
							<td>
							</td>
							<td>
								<input type="submit" id="login" name="login" value="Login" style=""/>
							</td>						
						</tr>	
					</table>
				</form>
process-login.php

Code: Select all

<?php
	
header('Content-type: text/html; charset=UTF-8');
header('Cache-Control: no-cache');

$post_token = isset($_POST['token'])?trim($_POST['token']):null;
$session_token = isset($_SESSION['sess_token'])?trim($_SESSION['sess_token']):null;

		if(empty($post_token)) {
			$error_log_content = "Post token is null or empty" ;	
		} else if(empty($session_token)) {
			$error_log_content = "Session token is null or empty" ;	
		} else if(strcasecmp($post_token, $session_token) != 0) {
			$error_log_content = "Session token and post token is not the same";	
		} else {
			// continue login
                         ......................
		}

?>
Appreciate any advice please. Thanks in advance!

Cheers,
Mark Thien

Re: POST request security

Posted: Wed Apr 27, 2011 2:11 pm
by social_experiment
What is the use of the token in the code?

Re: POST request security

Posted: Wed Apr 27, 2011 8:46 pm
by markthien
to identify that the request is from the actual user who visit the page. I am not so sure if this is needed. Please kindly advice. thanks !

Re: POST request security

Posted: Thu Apr 28, 2011 1:14 am
by social_experiment
Ok, i have 2 points here. Firstly, you could write the token value to the database and to the test against that instead of using the token value inside the form as a hidden value (which is very much visible when viewing the source code). Secondly you can turn the checking sequence into a 'if-else' loop.

Code: Select all

<?php
 // your headers
 
 // define variables
 $post_token = isset($_POST['token']) ? trim($_POST['token']) : null;
 $session_token = isset($_SESSION['sess_token']) ? trim($_SESSION['sess_token']) : null;
 
 // start checking
 if (strcasecmp($post_token, $session_token != 0) || empty($post_token) || 
empty($session_token)) {
 // request is invalid, inform user , log the incident, etc.
 }
 else {
  // continue login
 }
?>

Re: POST request security

Posted: Thu Apr 28, 2011 1:38 am
by markthien
Saving and retrieving from db is taking too much resources and time. Imagine u have 1 million visitor in a minute. I just wanna know if verifying token is neccessary and it add extra security

Re: POST request security

Posted: Thu Apr 28, 2011 1:51 pm
by social_experiment
I don't think it adds security, and if you are worried about resources, removing those token checks will save even more of those.

Re: POST request security

Posted: Thu Apr 28, 2011 3:35 pm
by getmizanur
correct me if i'm wrong however only reason you want to post a token is to avoid session hijacking.

there are couple of options you can use:
ip based validation: use md5 hash of user's ip address and place it in your session and subsequent request are permitted when ip hash matches the one stored in the session. saying that, there is no grantee that the users ip address is going to be static, specially if they are behind proxy server farm.

browser signature validation: browser signature based on the header that the browser sends with every request. this is a better option as generally browser header remains constant for the same user.

code may look like this

Code: Select all

$key = array ('HTTP_USER_AGENT', 'SERVER_PROTOCOL', 'HTTP_ACCEPT_CHARSET', 'HTTP_ACCEPT_ENCODING', 'HTTP_ACCEPT_LANGUAGE');
$tmp = "";
foreach($key as $v) {
 if(isset($_SERVER[$v])) $tmp .= $_SERVER[$v];
}
$token = md5($tmp);
referrer validation: this technique checks that the source page shown in HTTP_REFERER is a legitimate 'forwarding' page.

i hope this rambling helps.