Page 1 of 1

Simple form security - will this work?

Posted: Wed Feb 06, 2008 9:54 pm
by z1freeride
Hi all, I tried searching for a question like this but I couldn't find anything. I'm new to php and I hope to get a better understanding about this.

I found this page here: http://nyphp.org/phundamentals/spoofed_submission.php that suggests using a shared secret method utilizing a hidden input field, sessions and check the post variable to the session variable. I know that can prevent more advanced attacks (via telnet) but the user can still see the random key in the page's source.

Wouldn't it be better to just create my own key; place it in a session variable; on the processing page check to see if it's there and if it is the right key?

Like so:
form page:
<?php session_start();
$_SESSION['secret'] = "d8fjker98sdjkf8";
?>

Processing page:
if ($_SESSION['secret']=="d8fjker98sdjkf8"):

Re: Simple form security - will this work?

Posted: Thu Feb 07, 2008 1:02 am
by Mordred
Before implementing security measures (especially ones you devised yourself) you must be aware of the problem they are supposed to fix. "Legitimate" form spoofing is not the problem - you shouldn't care about it if a legitimate user wants to submit a form however he wants. You should care about CSRF, where the user doesn't want to submit the form. This is what the article protects against (even if it doesn't mention it, because it looks way too old) and your code doesn't.

Re: Simple form security - will this work?

Posted: Thu Feb 07, 2008 9:05 am
by z1freeride
Ok thank you. I looked up CSRF on wikipedia and it makes sense. I'm still a little confused how somebody would "spoof" my security.

So the user receives a cookie and then when they leave my form to another website, that new website can somehow get the contents of the cookie, etc...?

Re: Simple form security - will this work?

Posted: Fri Feb 08, 2008 12:07 am
by Mordred
Ummm, no.
You gotta read more. Sorry, I can't elaborate now. Read wikipedia again, check the examples