Hi all, I tried searching for a question like this but I couldn't find anything. I'm new to php and I hope to get a better understanding about this.
I found this page here: http://nyphp.org/phundamentals/spoofed_submission.php that suggests using a shared secret method utilizing a hidden input field, sessions and check the post variable to the session variable. I know that can prevent more advanced attacks (via telnet) but the user can still see the random key in the page's source.
Wouldn't it be better to just create my own key; place it in a session variable; on the processing page check to see if it's there and if it is the right key?
Like so:
form page:
<?php session_start();
$_SESSION['secret'] = "d8fjker98sdjkf8";
?>
Processing page:
if ($_SESSION['secret']=="d8fjker98sdjkf8"):
Simple form security - will this work?
Moderator: General Moderators
-
z1freeride
- Forum Newbie
- Posts: 2
- Joined: Wed Feb 06, 2008 9:46 pm
Re: Simple form security - will this work?
Before implementing security measures (especially ones you devised yourself) you must be aware of the problem they are supposed to fix. "Legitimate" form spoofing is not the problem - you shouldn't care about it if a legitimate user wants to submit a form however he wants. You should care about CSRF, where the user doesn't want to submit the form. This is what the article protects against (even if it doesn't mention it, because it looks way too old) and your code doesn't.
-
z1freeride
- Forum Newbie
- Posts: 2
- Joined: Wed Feb 06, 2008 9:46 pm
Re: Simple form security - will this work?
Ok thank you. I looked up CSRF on wikipedia and it makes sense. I'm still a little confused how somebody would "spoof" my security.
So the user receives a cookie and then when they leave my form to another website, that new website can somehow get the contents of the cookie, etc...?
So the user receives a cookie and then when they leave my form to another website, that new website can somehow get the contents of the cookie, etc...?
Re: Simple form security - will this work?
Ummm, no.
You gotta read more. Sorry, I can't elaborate now. Read wikipedia again, check the examples
You gotta read more. Sorry, I can't elaborate now. Read wikipedia again, check the examples