Re: Session token
- From: "Rik Wasmus" <luiheidsgoeroe@xxxxxxxxxxx>
- Date: Wed, 22 Oct 2008 02:10:58 +0200
On Fri, 03 Oct 2008 21:04:41 +0200, Lan Mind <LANMIND01@xxxxxxxxx> wrote:
Hello again everybody,
My page: http://www.dockhawk.com/
I'm trying to implement some "session security" PHP script
mentioned in the "Cross-site request forgery" section of this
tutorials (pdf): http://daniel0.net/phpfreaks_tutorials/php_security/php_security.pdf
1) Never, never, never use a GET for an alteration, GET is for presentation of data, possibly you can do some statistical logging, but that's it.
2) If you're still concerned about unknowingly posting (instead of getting) from another site, you can (besides of course making the session cookie httponly) add a temporary hidden post value in your 'alteration form', in the form of a random string which is whitelisted in your current session. On a request, refuse to do an action if the hash doesn't match the current (or one of the several) whitelisted strings.
Of course, you employ other security measures as using HTTPS instead of HTTP, etc. etc.
I was trying to figure out if it was functioning by putting a value in
the hidden input that won't be equal to the session token. The hidden
input is in my default.html page inside the <div id="search_form">.
So as the value is wrong the PHP should return "Invalid Token" but
it's not. In earlier testing I had taken away the not "!" in the PHP
and left the hidden input's value as "<?php echo $_SESSION['token'] ?
" and the PHP did return "Invalid Token" as it should have.
It seems the "!" isn't working, I'm not sure. Thank you for your time,
here is the PHP:
<?php
Perhaps a missing:
session_start();
(var_dump($_GET,$_SESSION); when in doubt)
.... and if so, when concerned with security, I sincerely hope you _check_ the $_SESSION for a valid login on _every_ page?
if ($_GET['token'] !== $_SESSION['token']) {
die('Invalid token');
}
This function we usually call htmlspecialchars($string,ENT_QUOTES);
function parseToXML($htmlStr)
{
$xmlStr=str_replace('<','<',$htmlStr);
$xmlStr=str_replace('>','>',$xmlStr);
$xmlStr=str_replace('"','"',$xmlStr);
$xmlStr=str_replace("'",''',$xmlStr);
$xmlStr=str_replace("&",'&',$xmlStr);
return $xmlStr;
}
And I can't see a further creation of the $_GET variable in any URL the user will visit (link, target, etc.), so there's no way of knowing for us wether there's a fault there.
--
Rik Wasmus
.
- References:
- Session token
- From: Lan Mind
- Session token
- Prev by Date: Re: Image uploading using ajax
- Next by Date: Re: ********Caution Newbie********editing and deleting from mysql database
- Previous by thread: Re: Session token
- Next by thread: Re: SMF PHP error... Am I missing something subtle in the PHP language syntax?
- Index(es):
Relevant Pages
|
