Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
The validity of the token can also be limited to a small window of time, such as ten minutes:
I made the following some changes to post.php code is below, but it still does not go into the valid data loop, and prints "Timeup!" on pressing submit button and doesnot show any value for echo $_SESSION['token_time'];
However if i DIRECTLY go to post.php it says "Valid data!"
It's behaving just in the opposite way i expect it to.
Revised Code
<?php
if ($_POST['token']== $_SESSION['token']) {
echo "Valid data!";
exit;
}
$token_age = time() - $_SESSION['token_time'];
if ($token_age >= 600) {
// time limit can be set here as number instead
// of LOGIN_TIME_LIMIT define, such as 60*10
echo $_SESSION['token_time'];
echo "Timeup!";
exit;
}
?>
I can't figure it's behaviour as this is a very simple code. Please help simulating it's behaviour.
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
<?php
session_start();
if (isset($_POST['token'])==$_SESSION['token']) {
echo "Valid data!";
exit;
}
else{
echo "Wrong data!";
}
$token_age = time() - $_SESSION['token_time'];
if ($token_age >= 600) {
// time limit can be set here as number instead
// of LOGIN_TIME_LIMIT define, such as 60*10
echo "Timeup!";
exit;
}
?>
The situation
1> If i write anything on the form and submit it says Valid data OK
2> If i keep the form blank and submit it says Valid data NOT OK
3> If i directly access post.php it gives Wrong data! I think its OK
Please clarify points 2 and 3 and if the condition of time works fine if the data is valid/invalid but the time has expired.
<?php
session_start();
$token_age = time() - $_SESSION['token_time'];
if ($token_age >= 5) {
// time limit can be set here as number instead
// of LOGIN_TIME_LIMIT define, such as 60*10
echo "Timeup!";
exit;
}
if (isset($_POST['token']) && isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']){
echo "Valid data!";
exit;
}
else{
echo "Wrong data!";
exit;
}
?>
Thanks superdezign, It worked well.
Last question
It ALWAYS shows Timeup! wen submitted from some other site... is that ok or should it print Wrong data???
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
[quote="superdezign"][quote="kkonline"]It ALWAYS shows Timeup! wen submitted from some other site... is that ok or should it print Wrong data???[/quote]
Not sure. I do know that if a session isn't started, $token_age will equal time() - NULL. You should always check if a value isset() before using it.[/quote]
Sounds good. I understand your point! Thanks a tonne. You cleared so many doubts today. Thanks again... The corrected code is
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]