Simple form security - will this work?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
z1freeride
Forum Newbie
Posts: 2
Joined: Wed Feb 06, 2008 9:46 pm

Simple form security - will this work?

Post by z1freeride »

Hi all, I tried searching for a question like this but I couldn't find anything. I'm new to php and I hope to get a better understanding about this.

I found this page here: http://nyphp.org/phundamentals/spoofed_submission.php that suggests using a shared secret method utilizing a hidden input field, sessions and check the post variable to the session variable. I know that can prevent more advanced attacks (via telnet) but the user can still see the random key in the page's source.

Wouldn't it be better to just create my own key; place it in a session variable; on the processing page check to see if it's there and if it is the right key?

Like so:
form page:
<?php session_start();
$_SESSION['secret'] = "d8fjker98sdjkf8";
?>

Processing page:
if ($_SESSION['secret']=="d8fjker98sdjkf8"):
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Simple form security - will this work?

Post by Mordred »

Before implementing security measures (especially ones you devised yourself) you must be aware of the problem they are supposed to fix. "Legitimate" form spoofing is not the problem - you shouldn't care about it if a legitimate user wants to submit a form however he wants. You should care about CSRF, where the user doesn't want to submit the form. This is what the article protects against (even if it doesn't mention it, because it looks way too old) and your code doesn't.
z1freeride
Forum Newbie
Posts: 2
Joined: Wed Feb 06, 2008 9:46 pm

Re: Simple form security - will this work?

Post by z1freeride »

Ok thank you. I looked up CSRF on wikipedia and it makes sense. I'm still a little confused how somebody would "spoof" my security.

So the user receives a cookie and then when they leave my form to another website, that new website can somehow get the contents of the cookie, etc...?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Simple form security - will this work?

Post by Mordred »

Ummm, no.
You gotta read more. Sorry, I can't elaborate now. Read wikipedia again, check the examples
Post Reply