Jump to content

session token not matching with form submit. Need new pair of eyes to look at it.


helloworld001

Recommended Posts

I need new pair of eyes to look at this and tell me what's wrong with it. 

 

All I am trying to do is have a simple form that submits data to database.  It works without the "token".  With the token code added, it won't let process.  I even did var_dump and the session and the $_post code doesn't match. 

 

Here's the code. Btw, session_start() and the database connection are in the init.php file.

<?php require_once 'init.php';

$token = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
$_SESSION['token'] = $token;
		
if(isset($_POST['register'], $_POST['token'])) {
	
	if($_POST['token'] === $_SESSION['token']) {
	
		$email 		 	 = trim($_POST['email']);
		$password	 	 = trim($_POST['password']);
		
		if(empty($email)) {
							
			$error = 'Email is required!';
			
		} else if(empty($password)) {
		
			$error = 'Password is required!';
			
		} else if(strlen($password) < 6) {
		
			$error = 'Password must be at least 6 characters long!';
		
		} else {
							
			$findUser = $db->prepare("SELECT email FROM users WHERE email = :email");
			$findUser->bindParam(':email', $email);
			$findUser->execute();
			$resultFind = $findUser->fetchAll(PDO::FETCH_ASSOC);
			if(count($resultFind) > 0) {
			
				$error = 'The email already exists! Please try a different email!';
			
			} else {
			
				//Hash the password as we do NOT want to store our passwords in plain text.
				$passwordHash = password_hash($passward, PASSWORD_BCRYPT, array("cost" => 12));
				
				$insertUser = $db->prepare("INSERT INTO users(email, password) VALUES(:email, :password)");
				$insertUser->bindParam(':email', $email);
				$insertUser->bindParam(':password', $passwordHash);
				$resultInsert = $insertUser->execute();
				if($resultInsert == false) {
				
				
					$error = 'There was a problem creating your account. Please try again later!';
				
				} else {
				
					$success = 'Your account has been created.';
					unset($_SESSION['token']);
				}
			
			}
			
		}
   } else {
   
	$error = 'The tokens do not match!';
	
   }
	
}

?>

<h1>Sign up</h1>
<form action="" method="post">
	<fieldset>
		<input type="email" name="email" value="<?php echo $email; ?>" placeholder="Email" />
	</fieldset>
	<fieldset>
		<input type="password" name="password" placeholder="Password" />
	</fieldset>
	<fieldset>
		<input type="hidden" name="token" value="<?php echo $token; ?>" />
		<input type="submit" name="register" value="Sign up" />
	</fieldset>
</form>
		

Link to comment
Share on other sites

The $_SESSION['token'] always a new random, I added a check..

You also had a typo on $password as $passward

<?php
require_once 'init.php';

if(!isset($_SESSION['token'])){
$_SESSION['token'] = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
}

if(isset($_POST['register'], $_POST['token'])) {
    
    if($_POST['token'] === $_SESSION['token']) {
    
        $email               = trim($_POST['email']);
        $password          = trim($_POST['password']);
        
        if(empty($email)) {
                            
            $error = 'Email is required!';
            
        } else if(empty($password)) {
        
            $error = 'Password is required!';
            
        } else if(strlen($password) < 6) {
        
            $error = 'Password must be at least 6 characters long!';
        
        } else {
                            
            $findUser = $db->prepare("SELECT email FROM users WHERE email = :email");
            $findUser->bindParam(':email', $email);
            $findUser->execute();
            $resultFind = $findUser->fetchAll(PDO::FETCH_ASSOC);
            if(count($resultFind) > 0) {
            
                $error = 'The email already exists! Please try a different email!';
            
            } else {
            
                //Hash the password as we do NOT want to store our passwords in plain text.
                $passwordHash = password_hash($password, PASSWORD_BCRYPT, array("cost" => 12));
                
                $insertUser = $db->prepare("INSERT INTO users(email, password) VALUES(:email, :password)");
                $insertUser->bindParam(':email', $email);
                $insertUser->bindParam(':password', $passwordHash);
                $resultInsert = $insertUser->execute();
                if($resultInsert == false) {
                
                
                    $error = 'There was a problem creating your account. Please try again later!';
                
                } else {
                
                    $success = 'Your account has been created.';
                    unset($_SESSION['token']);
                }
            
            }
            
        }
   } else {
   
    $error = 'The tokens do not match!';
    
   }
    
}

?>

<h1>Sign up</h1>
<form action="" method="post">
    <fieldset>
        <input type="email" name="email" value="<?php echo $email; ?>" placeholder="Email" />
    </fieldset>
    <fieldset>
        <input type="password" name="password" placeholder="Password" />
    </fieldset>
    <fieldset>
        <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>" />
        <input type="submit" name="register" value="Sign up" />
    </fieldset>
</form>
Link to comment
Share on other sites

producing the token is part of the code that produces the output on the page and outputs the form. you have it before the start of the form processing code, so it (re)generates a token when the form is submitted and the value being used in the form processing code is a newly generated value, not the value that was generated at the time the form was produced. put the token generation logic after the form processing code, and before the form code.

Link to comment
Share on other sites

 

The $_SESSION['token'] always a new random, I added a check..

You also had a typo on $password as $passward

<?php
require_once 'init.php';

if(!isset($_SESSION['token'])){
$_SESSION['token'] = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
}

if(isset($_POST['register'], $_POST['token'])) {
    
    if($_POST['token'] === $_SESSION['token']) {
    
        $email               = trim($_POST['email']);
        $password          = trim($_POST['password']);
        
        if(empty($email)) {
                            
            $error = 'Email is required!';
            
        } else if(empty($password)) {
        
            $error = 'Password is required!';
            
        } else if(strlen($password) < 6) {
        
            $error = 'Password must be at least 6 characters long!';
        
        } else {
                            
            $findUser = $db->prepare("SELECT email FROM users WHERE email = :email");
            $findUser->bindParam(':email', $email);
            $findUser->execute();
            $resultFind = $findUser->fetchAll(PDO::FETCH_ASSOC);
            if(count($resultFind) > 0) {
            
                $error = 'The email already exists! Please try a different email!';
            
            } else {
            
                //Hash the password as we do NOT want to store our passwords in plain text.
                $passwordHash = password_hash($password, PASSWORD_BCRYPT, array("cost" => 12));
                
                $insertUser = $db->prepare("INSERT INTO users(email, password) VALUES(:email, :password)");
                $insertUser->bindParam(':email', $email);
                $insertUser->bindParam(':password', $passwordHash);
                $resultInsert = $insertUser->execute();
                if($resultInsert == false) {
                
                
                    $error = 'There was a problem creating your account. Please try again later!';
                
                } else {
                
                    $success = 'Your account has been created.';
                    unset($_SESSION['token']);
                }
            
            }
            
        }
   } else {
   
    $error = 'The tokens do not match!';
    
   }
    
}

?>

<h1>Sign up</h1>
<form action="" method="post">
    <fieldset>
        <input type="email" name="email" value="<?php echo $email; ?>" placeholder="Email" />
    </fieldset>
    <fieldset>
        <input type="password" name="password" placeholder="Password" />
    </fieldset>
    <fieldset>
        <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>" />
        <input type="submit" name="register" value="Sign up" />
    </fieldset>
</form>

 

 

Ahh yes I see what you did there.  It works.  The only thing is that it doesn't work with "mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)".  But if I try "uniqid()", then it'll work.  Is there anything else I can use to make it more secure?

Link to comment
Share on other sites

producing the token is part of the code that produces the output on the page and outputs the form. you have it before the start of the form processing code, so it (re)generates a token when the form is submitted and the value being used in the form processing code is a newly generated value, not the value that was generated at the time the form was produced. put the token generation logic after the form processing code, and before the form code.

 

That makes sense.  It works now.  Thanks.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.