PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Fri Jun 05, 2020 1:19 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 27 posts ]  Go to page Previous  1, 2
Author Message
PostPosted: Tue Jan 31, 2012 6:15 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
For that purpose it's not important if the token parameters are known or not, it is important that they are tamper-proof - this is what HMAC signing does.
Storing it in form hidden vars allows you to easily serve multiple forms on a page with different tokens but same var names to be checked server-side. If you store them in a session, you'll need some type of namespacing


Top
 Profile  
 
PostPosted: Tue Jan 31, 2012 7:14 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Tue Jan 31, 2012 7:27 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
On the page you have two forms with two tokens you want to keep in $_SESSION. What are they called?


Top
 Profile  
 
PostPosted: Tue Jan 31, 2012 7:49 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
Ok, i see what you mean; thanks for clearing it up

Thinking about multiple forms on a single page however i think it could still use a single session value as the session value in this case is only used to determine that the processing page was accessed from the page actually containing the form (and not a spoofed page)

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Tue Jan 31, 2012 4:37 pm 
Offline
Forum Regular
User avatar

Joined: Wed Mar 05, 2008 11:23 pm
Posts: 732
Location: Sunriver, OR


Top
 Profile  
 
PostPosted: Wed Feb 01, 2012 5:17 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria


Top
 Profile  
 
PostPosted: Wed Feb 01, 2012 1:38 pm 
Offline
Forum Contributor
User avatar

Joined: Sat Oct 01, 2011 9:29 pm
Posts: 156
Location: Colorado, USA


Top
 Profile  
 
PostPosted: Thu Feb 02, 2012 11:48 pm 
Offline
Forum Regular
User avatar

Joined: Wed Mar 05, 2008 11:23 pm
Posts: 732
Location: Sunriver, OR


Top
 Profile  
 
PostPosted: Fri Feb 03, 2012 12:40 am 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
You guys are above my pay grade on this stuff, and you probably know about this, too, but just in case it has slipped by any of you, there's a add-on for Firefox browser called Tamper Data. It enables you to view--and modify--form data sent by the POST method. I have occasionally found it helpful in debugging something like a payment processing system.


Top
 Profile  
 
PostPosted: Fri Feb 03, 2012 4:37 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
Eh, you're selling yourself short, califdon :) This is a good reminder, thanks.

When you write security code it's imperative to test it - tools like tamper data or a pentesting proxy like Burp or Paros are essential to that!
Remember: if you haven't tested your code, it is not working! Doesn't matter if you've written similar code before, if you've read it carefully and are 100% sure that it's correct, if a guy on a forum told you it's good or if the ghost of your grandgrandgrandgrandfather came and told you the code is right - until you've tried it with both valid and invalid data, it is not working, period.


Top
 Profile  
 
PostPosted: Fri Feb 03, 2012 11:11 am 
Offline
Forum Contributor
User avatar

Joined: Sat Oct 01, 2011 9:29 pm
Posts: 156
Location: Colorado, USA


Top
 Profile  
 
PostPosted: Fri Feb 03, 2012 1:36 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 27 posts ]  Go to page Previous  1, 2

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group