Security question.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Tommy1402
Forum Newbie
Posts: 23
Joined: Tue Oct 03, 2006 4:33 am
Location: bandung
Contact:

Post by Tommy1402 »

The article makes it clear that by disabling javascript, a user is completely insecure.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Re: Security question.

Post by Oren »

Tommy1402 wrote:I also use token to make sure that all request come from my web forms.
It doesn't guarantee that the data come from your web forms.
It only guarantee that the user/hacker had been in your web page.
Tommy1402
Forum Newbie
Posts: 23
Joined: Tue Oct 03, 2006 4:33 am
Location: bandung
Contact:

Re: Security question.

Post by Tommy1402 »

Oren wrote:
Tommy1402 wrote:I also use token to make sure that all request come from my web forms.
It doesn't guarantee that the data come from your web forms.
It only guarantee that the user/hacker had been in your web page.
The token is auto-changed in every page request...
I don't really understand what you're saying. Could you explain more detail? (thanks)
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Ok, I'll explain, but first tell me how exactly you implement this mechanism in your code.
Tommy1402
Forum Newbie
Posts: 23
Joined: Tue Oct 03, 2006 4:33 am
Location: bandung
Contact:

Post by Tommy1402 »

Oren wrote:Ok, I'll explain, but first tell me how exactly you implement this mechanism in your code.
First, a registered user logs-in. In success, $_SESSION['uid'] which contain the (user's id) and (new session id) are generated.

A random $ token and $_SESSION['token'] are also generated.

Then the current user's session id and IP is recorded in database.

if login succeed, the user will be redirected to the main page.

In every page, I put $User->Validate($_GET['token']) to make sure that the current user has same: User Id, Session Id, IP, and token. If validation success, a new $token is generated along with a new $_SESSION['token'].

Because I use GET to get the token value, I add ?token=$token in every link in my template(tpl) page.

Well, that's all. I'm still learning this concept so, please enlight me. Thanks!
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

It is redundant to keep the info both in database and session.
Don't generate your own session id, let PHP do it (it will do it better than you)
Otherwise it seems okay in theory, will have to see the actual code for a true analysis.

P.S. for token-protected pages it might be good to disable caching (see the manual on header() for example).

Note that if you have a XSS vulnerability somewhere, the attacker may still be able to do CSRF by requesting a form and parsing it to get the token.
Read this:
http://shiflett.org/articles/cross-site ... -forgeries
Tommy1402
Forum Newbie
Posts: 23
Joined: Tue Oct 03, 2006 4:33 am
Location: bandung
Contact:

Post by Tommy1402 »

Mordred wrote: P.S. for token-protected pages it might be good to disable caching (see the manual on header() for example).
thanks for the above info...

one question regarding shiflett page: since shiflett uses session, post method and hidden form, what if i use cookie instead? is it safer?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Cookies values are just as susceptible to manipulation as post and get submissions.
Post Reply