ways of maintaining HTTP states without session or coockies

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

The time issue on sessions is a security feature. Sessions should time out. If they don't then someone leaving their computer logged in is another attack vector. Coding around that and making a system that never times out means your website will be less secure.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

crazytopu wrote:does hidden html have any serious security issue just like query string have?
Yes, it does. It is just as easy to view source, edit the html and use the same form action as what you have. I can edit your form fields and values without your knowledge, so you need to protect against it.

The nature of HTTP and the stateless condition of web servers is something that is not going to fit well into what you are being tasked to do.
mrkite
Forum Contributor
Posts: 104
Joined: Tue Sep 11, 2007 4:19 am

Post by mrkite »

Hockey wrote:Why wouldn't you just use SESSIONS though?
I don't use them because they stuff up my tmp dir... and my tmp dir is a ram disk.

We basically use a hand rolled sessions system though. A hash is sent as a cookie, it corresponds to a key in mysql. This way a session works in a mixed environment. A RoR app can access your session information the same as a php script. It also gives us the ability to delete your session from an admin panel and force a log out.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Ahem. session_set_save_handler() - i.e. database sessions...
mrkite
Forum Contributor
Posts: 104
Joined: Tue Sep 11, 2007 4:19 am

Post by mrkite »

feyd wrote:Ahem. session_set_save_handler() - i.e. database sessions...
the write callback is called after object destruction, so you can't use PEAR:DB, PEAR:MDB or pdo to connect to the database.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

mrkite wrote:the write callback is called after object destruction, so you can't use PEAR:DB, PEAR:MDB or pdo to connect to the database.
I don't use any of those.. but I do it all the time.
crazytopu
Forum Contributor
Posts: 259
Joined: Fri Nov 07, 2003 12:43 pm
Location: London, UK
Contact:

Post by crazytopu »

The summary of one of the online article I read last night says :

Even though they are called hidden, in fact, HTML "hidden" fields are not hidden and not secure. Users can see them simply by viewing the HTML source code of the page in their browser and it's easy for a user to change the hidden field value. All they have to do is save the HTML form into their computer, edit the HTML then re-submit the form.
I simply don't understand how this is possible. For example, if it is a php based site how a user can change the value of the hidden field (which is a HTML page and nothing else ) and run that form in the server. So, lets say I have a hidden field called $bookTitle, which I am passing from one page to the other. I am using a php variable to catch the value when the form is being submitted and use that variable to store the bookTitle in the database.

Now, even if a user sees the hidden field value, say, "Database Design", how would they change the title and send "Learn TCP/IP in 24 Hours" to the next page when the page is being submitted (obviusly, this form recides in the server where as user can just change the value in their local machine in the HTML file).

Anyone knows?
xhunter12
Forum Newbie
Posts: 1
Joined: Tue May 02, 2006 9:59 pm

Post by xhunter12 »

[s]U[/s] You can just save the form ,edit the fields that [s]u[/s] you want edited, and add between the head tags of the source
<base href="url of the form">
or if [s]u[/s] you want server side using curl and is done.
[url=http://forums.devnetwork.net/viewtopic.php?t=30037]Forum Rules[/url] Section 1.1 wrote:11. Please use proper, complete spelling when posting in the forums. AOL Speak, leet speak and other abbreviated wording can confuse those that are trying to help you (or those that you are trying to help). Please keep in mind that there are many people from many countries that use our forums to read, post and learn. They do not always speak English as well as some of us, nor do they know these aberrant abbreviations. Therefore, use as few abbreviations as possible, especially when using such simple words.

Some examples of what not to do are ne1, any1 (anyone); u (you); ur (your or you're); 2 (to too); prolly (probably); afaik (as far as I know); etc.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

crazytopu wrote: I simply don't understand how this is possible. For example, if it is a php based site how a user can change the value of the hidden field (which is a HTML page and nothing else ) and run that form in the server. So, lets say I have a hidden field called $bookTitle, which I am passing from one page to the other. I am using a php variable to catch the value when the form is being submitted and use that variable to store the bookTitle in the database.

Now, even if a user sees the hidden field value, say, "Database Design", how would they change the title and send "Learn TCP/IP in 24 Hours" to the next page when the page is being submitted (obviously, this form resides in the server where as user can just change the value in their local machine in the HTML file).

Anyone knows?
Can't understand what do you mean ...

You can always substitute your hidden fields with "<input type='text'>" ... it's will be absolutely the same to the server.
There are 10 types of people in this world, those who understand binary and those who don't
crazytopu
Forum Contributor
Posts: 259
Joined: Fri Nov 07, 2003 12:43 pm
Location: London, UK
Contact:

Post by crazytopu »

Sorry, maybe I couldnot exlain it clearly.

Say,

<form name="test" action="POST" method="action.php">

this form has a hidden value called price.

now if i save this page on my local machine, change the price value to something else and in the action parameter and type the full url insted of just the php file:

<form name="test" action="POST" method="http://www.action.com/action.php">

will it work? Is it that simple?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

Yes :)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

If you use Firefox and install the Web Developer add-on you can edit any form field with a couple clicks in the menus.
crazytopu
Forum Contributor
Posts: 259
Joined: Fri Nov 07, 2003 12:43 pm
Location: London, UK
Contact:

Post by crazytopu »

Feyd, that's very useful info.
Michael A
Forum Newbie
Posts: 17
Joined: Wed Oct 03, 2007 9:25 am

Post by Michael A »

feyd wrote:If you use Firefox and install the Web Developer add-on you can edit any form field with a couple clicks in the menus.
Best add-on - ever!!

I like the HTML Validator, too.

Check it out here:

http://users.skynet.be/mgueury/mozilla/
crazytopu
Forum Contributor
Posts: 259
Joined: Fri Nov 07, 2003 12:43 pm
Location: London, UK
Contact:

Post by crazytopu »

Michael A, Excellent! I can do some testing with this add on. :)
Post Reply