security - _Post from one site
Moderator: General Moderators
security - _Post from one site
from a securit point of view how is it possible to make sure that any post data only comes from one site (that you define)
for instance if I had a example/MyRegistrationForm.php, which posts to example2/MyUserCreation.php
How could I make sure that the data is only posted from example/MyRegistrationForm.php
I dont want to send this in the post request (since post request can be manipulated), i need to find a way for example2/MyUserCreation.php to know it come from example/MyRegistrationForm.php
Any ideas?
for instance if I had a example/MyRegistrationForm.php, which posts to example2/MyUserCreation.php
How could I make sure that the data is only posted from example/MyRegistrationForm.php
I dont want to send this in the post request (since post request can be manipulated), i need to find a way for example2/MyUserCreation.php to know it come from example/MyRegistrationForm.php
Any ideas?
Last edited by divx on Sat Jul 07, 2007 3:41 pm, edited 1 time in total.
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
validation wont stop resubmits with things like paros.
You dont nessesarily have to js inject to hijack a site, you could potentilay create an auto submit querry that loops submit.
I already have a validation that checks for ip address, but i need something else to verify origanal location for hardening.
You dont nessesarily have to js inject to hijack a site, you could potentilay create an auto submit querry that loops submit.
I already have a validation that checks for ip address, but i need something else to verify origanal location for hardening.
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
resubmitting on that page is prevented(ip logged in db, can only do one querry, as are many other things such email and username), but cross site attacks are a little harder to prevent when a user changes ip address within a script.
cookie seesions is an alternative, but really wanted to avoid using cookies as a form of protection
I've had a look at
$_SESSION['token'] = $token;
$_SESSION['token_time'] = time();
this might do the trick
cookie seesions is an alternative, but really wanted to avoid using cookies as a form of protection
I've had a look at
$_SESSION['token'] = $token;
$_SESSION['token_time'] = time();
this might do the trick
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
-
nickvd
- DevNet Resident
- Posts: 1027
- Joined: Thu Mar 10, 2005 5:27 pm
- Location: Southern Ontario
- Contact:
How? The server itself would have to be compromised in order to do that... and if so, you'd have much much more to worry about...divx wrote:The key could be caught if sent to the databse, then re-used to manipulate from a 3rd party software like paros.
- but could encrypt this
Are you on a shared host?
If you're that paranoid about security, run the whole site with ssl...