Search the Community

Hi I have a question about generating a unique access token. I have read a lot on the internet about just using the php 'random_bytes' function. However I have found a scenario (although highly unlikely) where a session could potentially be hijacked. User 1 logs in and gets an access token of 'abcdef' (simplifying things). User 1 uses the system for a period of time but the token expires but doesn't get refreshed yet (as user 1 is idle) (so client still has access token stored on client). In the mean time User 1 decides to use a different device to login to their account which generates a new access token 'zxcvbn'. But then User 2 logs in and they get an access token of 'abcdef' as it is unique (like I say highly unlikely but still possible). Then User 1 goes back to their original device and tries to resume session (client still has 'abcdef' as an access token so it sends that to the server which then it finds it but is actually now against a different user), and then hijacks User 2's session unknowingly. What is the best way around this, what about always adding the internal user ID number to the token to make sure it will always be against the same user (and always truly unique for that user)? So we would end up with 'abcdef1' for user 1 and User 2s access token would be 'abcdef2' if the above scenario was to occur so we would never get a potential hijack of sessions? I know this sounds convoluted but just wanted peoples thoughts?

I need new pair of eyes to look at this and tell me what's wrong with it. All I am trying to do is have a simple form that submits data to database. It works without the "token". With the token code added, it won't let process. I even did var_dump and the session and the $_post code doesn't match. Here's the code. Btw, session_start() and the database connection are in the init.php file. <?php require_once 'init.php'; $token = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM); $_SESSION['token'] = $token; if(isset($_POST['register'], $_POST['token'])) { if($_POST['token'] === $_SESSION['token']) { $email = trim($_POST['email']); $password = trim($_POST['password']); if(empty($email)) { $error = 'Email is required!'; } else if(empty($password)) { $error = 'Password is required!'; } else if(strlen($password) < 6) { $error = 'Password must be at least 6 characters long!'; } else { $findUser = $db->prepare("SELECT email FROM users WHERE email = :email"); $findUser->bindParam(':email', $email); $findUser->execute(); $resultFind = $findUser->fetchAll(PDO::FETCH_ASSOC); if(count($resultFind) > 0) { $error = 'The email already exists! Please try a different email!'; } else { //Hash the password as we do NOT want to store our passwords in plain text. $passwordHash = password_hash($passward, PASSWORD_BCRYPT, array("cost" => 12)); $insertUser = $db->prepare("INSERT INTO users(email, password) VALUES(:email, :password)"); $insertUser->bindParam(':email', $email); $insertUser->bindParam(':password', $passwordHash); $resultInsert = $insertUser->execute(); if($resultInsert == false) { $error = 'There was a problem creating your account. Please try again later!'; } else { $success = 'Your account has been created.'; unset($_SESSION['token']); } } } } else { $error = 'The tokens do not match!'; } } ?> <h1>Sign up</h1> <form action="" method="post"> <fieldset> <input type="email" name="email" value="<?php echo $email; ?>" placeholder="Email" /> </fieldset> <fieldset> <input type="password" name="password" placeholder="Password" /> </fieldset> <fieldset> <input type="hidden" name="token" value="<?php echo $token; ?>" /> <input type="submit" name="register" value="Sign up" /> </fieldset> </form>

Hi everybody ! I have this current problem .. I need to login into a website via cUrl .. website : www.v-tac [dot] ro/ Now based on the headers and based on the input fields I wrote a php function, but I hit a wall with the token . HEADERS : username=username&password=password&Submit=Conectare&option=com_users&task=user.login&return=aW5kZXgucGhwP0l0ZW1pZD0yMTY%3D&0dbf64fe20e2395a7d72ed5b64b3cf7c=1 FORM FIELDS - copy paste - this is the login form <fieldset class="userdata"> <p id="form-login-username"> <label for="modlgn-username">Nume Utilizator</label> <input id="modlgn-username" type="text" name="username" class="inputbox" size="18"> </p> <p id="form-login-password"> <label for="modlgn-passwd">Parola</label> <input id="modlgn-passwd" type="password" name="password" class="inputbox" size="18"> </p> <p id="form-login-remember"> <label for="modlgn-remember">Retine utilizator</label> <input id="modlgn-remember" type="checkbox" name="remember" class="inputbox" value="yes"> </p> <input type="submit" name="Submit" class="button" value="Conectare"> <input type="hidden" name="option" value="com_users"> <input type="hidden" name="task" value="user.login"> <input type="hidden" name="return" value="aW5kZXgucGhwP0l0ZW1pZD0yMTY="> <input type="hidden" name="11b09608b3184e6258012d44846c81ed" value="1"> </fieldset> And this is the function I wrote to do the cUrl login : function login_to_website($targetURL){ global $browser_user_agent; if(empty($targetURL)) { return; } if(empty($login_url)) { $login_url = $targetURL; } $url = $login_url; $login_user = "loginusername"; $login_password = "loginpassword"; $thetoken = "this-is-my-problem-the-token-from-the-hidden-input"; $post_data = array(); $post_data['username'] = "$login_user"; $post_data['password'] = "$login_password"; $post_data['Submit'] = "Conectare"; $post_data['option'] = "com_users"; $post_data['task'] = "user.login"; $post_data['return'] = "aW5kZXgucGhwP0l0ZW1pZD0yMTY%3D"; $post_data[$thetoken] = "1"; $postthis = http_build_query($post_data); $login = curl_init(); curl_setopt($login, CURLOPT_COOKIEJAR, dirname(__FILE__) . "/cookie.tmpz"); curl_setopt($login, CURLOPT_COOKIEFILE, dirname(__FILE__) . "/cookie.tmpz"); curl_setopt($login, CURLOPT_VERBOSE, true); curl_setopt($login, CURLOPT_URL, $url); curl_setopt($login, CURLOPT_USERAGENT, random_user_agent()); curl_setopt($login, CURLOPT_FOLLOWLOCATION, TRUE); curl_setopt($login, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($login, CURLOPT_POST, TRUE); $timeout = 5; curl_setopt( $login, CURLOPT_CONNECTTIMEOUT, $timeout ); curl_setopt( $login, CURLOPT_TIMEOUT, $timeout ); curl_setopt( $login, CURLOPT_MAXREDIRS, 10 ); curl_setopt($login, CURLOPT_POSTFIELDS, $postthis); // POST vars curl_setopt($login, CURLOPT_HEADER, 0); // debug headers sent - 1 $data = curl_exec ($login); curl_setopt($login, CURLOPT_URL, $targetURL); $datax = curl_exec ($login); return $datax; // close cURL resource, and free up system resources curl_close($login); } The problem is this the last array input. the token is generated each time the page is loaded, located on the page as an input hidden field . So the question is how do I get a fresh token that will work ? Also I have tried to get the token with a xpath extract like this : $htmlx = file_get_contents('http://www.v-tac.ro'); $htmlx = mb_convert_encoding($htmlx, 'UTF-8', mb_detect_encoding($htmlx)); //make sure this is utf8 if(!strlen($htmlx)) {echo "No HTML here . stoping execution ."; return;} $doc = new DomDocument; @$doc->loadHTML($htmlx); $xpath = new DOMXPath($doc); echo $xpath->query('//fieldset[@class="userdata"]/input[5]')->item(0)->getAttribute("name"); $thetoken = $xpath->query('//fieldset[@class="userdata"]/input[5]')->item(0)->getAttribute("name"); Help !?

Hello I am looking to create an expiring token for use with our password reset system. We want tokens to be valid for a set period, let's say 24hrs. Currently we md5 the username and userid, and send this as a token to the users registered email... It's OK, but means that token is valid indefinitely. I am not keen on adding more fields to the database to store the time the request was made, so wondered if anyone had a suggestion? Is there a way I can encrypt a token including a timestamp and then decrypt it to separate the elements out to check the timestamp? Thanks