security - _Post from one site

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
divx
Forum Newbie
Posts: 20
Joined: Sun Jul 01, 2007 1:37 pm

security - _Post from one site

Post by divx »

from a securit point of view how is it possible to make sure that any post data only comes from one site (that you define)

for instance if I had a example/MyRegistrationForm.php, which posts to example2/MyUserCreation.php
How could I make sure that the data is only posted from example/MyRegistrationForm.php

I dont want to send this in the post request (since post request can be manipulated), i need to find a way for example2/MyUserCreation.php to know it come from example/MyRegistrationForm.php

Any ideas?
Last edited by divx on Sat Jul 07, 2007 3:41 pm, edited 1 time in total.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Why?

You should be validating the data anyway.
divx
Forum Newbie
Posts: 20
Joined: Sun Jul 01, 2007 1:37 pm

Post by divx »

validation wont stop resubmits with things like paros.

You dont nessesarily have to js inject to hijack a site, you could potentilay create an auto submit querry that loops submit.

I already have a validation that checks for ip address, but i need something else to verify origanal location for hardening.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Try using a session.

I hope you're aware that remotely isnt the only way to re-submit a form. They could continuously refresh the page that the form was submitted to.
divx
Forum Newbie
Posts: 20
Joined: Sun Jul 01, 2007 1:37 pm

Post by divx »

resubmitting on that page is prevented(ip logged in db, can only do one querry, as are many other things such email and username), but cross site attacks are a little harder to prevent when a user changes ip address within a script.

cookie seesions is an alternative, but really wanted to avoid using cookies as a form of protection

I've had a look at
$_SESSION['token'] = $token;
$_SESSION['token_time'] = time();

this might do the trick
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

IP tracking is not reliable, at all.
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

divx wrote:...when a user changes ip address within a script.
Or within my router

Or within my browser (proxy)

Or....

Or....


...just do echo what feyd said :)
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Then don't use cookies. Make all of your users have an account and handle your sessions through the database.
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

You could always try implementing a challenge->response type of system

the form page generate a key, store it in the database and submit it to the processor. The processor then looks up the key and if it matches its legit...


Pretty much identical to maugrim's challenge/response login tutorial.
divx
Forum Newbie
Posts: 20
Joined: Sun Jul 01, 2007 1:37 pm

Post by divx »

The key could be caught if sent to the databse, then re-used to manipulate from a 3rd party software like paros.
- but could encrypt this
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

divx wrote:The key could be caught if sent to the databse, then re-used to manipulate from a 3rd party software like paros.
- but could encrypt this
How? The server itself would have to be compromised in order to do that... and if so, you'd have much much more to worry about...

Are you on a shared host?

If you're that paranoid about security, run the whole site with ssl...
Post Reply