tefuzz Posted April 25, 2009 Share Posted April 25, 2009 I am trying to use a session token to protect my form a little bit for hijacking, and from timeouts in case the user takes 4 hours to complete it, the information will be cleared so someone couldn't hijack their data either. i have it creating a token automatically, and passing it through $_POST inside a hidden input 'token' I can't however get it to work...my code is this...seemed like it would work, but I always get "session error!". and yes, the hidden input for 'step1' is there. <?php session_start(); if (!isset($_POST['step1'])) { $_SESSION['token'] = uniqid(md5(microtime()), true); } elseif ($_POST['token'] !== $_SESSION['token']) { echo "session error!"; } else { ...this is where the validation goes... Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted April 25, 2009 Share Posted April 25, 2009 Based on what I see there, since step1 is set, than your session "token" never gets its value set, and because of that, the next elseif check runs true every time (since that session isn't set, the post value of token cant equal nothing, assuming that that post value is also sent) Quote Link to comment Share on other sites More sharing options...
tefuzz Posted April 25, 2009 Author Share Posted April 25, 2009 Based on what I see there, since step1 is set, than your session "token" never gets its value set, and because of that, the next elseif check runs true every time (since that session isn't set, the post value of token cant equal nothing, assuming that that post value is also sent) I have the first IF checking to see if they pressed the "next" button. If not, then it must be the first time on the page, so I am assigning a token. If it is pressed, then it is checking the token against the hidden input to see if they match. Or at least that what I thought it was doing. Quote Link to comment Share on other sites More sharing options...
tefuzz Posted April 25, 2009 Author Share Posted April 25, 2009 OK, well I think I fixed one part of it... I changed this line of my page: <form action="step1.php" method="post" enctype="multipart/form-data" name="tutorApp" class="tutorAppForm"> to this: <form action="<?php echo($_SERVER['PHP_SELF']); ?>" method="post" enctype="multipart/form-data" name="tutorApp" class="tutorAppForm"> Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted April 25, 2009 Share Posted April 25, 2009 sorry about the long reply, i was gone for a little bit. Ok i didn't know that you were on that page twice, so yeah that if statement would work in that case. And the change you made, technically shouldn't really matter, since both point to the same location (which is step1.php I assume) try to use the != comparison, instead of the !==. the latter may be making your test run true for some reason (maybe they aren't the same type, or there is some other issue making them not "identical") Quote Link to comment Share on other sites More sharing options...
tefuzz Posted April 25, 2009 Author Share Posted April 25, 2009 ok, now I have another problem. I have the form validation set so that if there are errors it automatically fills in the valid fields again so the user doesn't need to retype everything for 1 error. However, If i run the script with an error, it fills in my valid data just like I want. Now the catch is, If I leave the page and go to say google.com, and go back, my form fields will still be filled in with that data. What can I do to make sure that if they leave the "session" it clears, and they have to start over again? Only if they leave the form (multi part) and come back. If they go to step2 and come back to step1, I want to keep the data. Quote Link to comment Share on other sites More sharing options...
tefuzz Posted April 25, 2009 Author Share Posted April 25, 2009 been looking around for answers, did not find much yet. anyone have any ideas? Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted April 25, 2009 Share Posted April 25, 2009 Maybe this will be of any help? http://www.phpfreaks.com/tutorial/php-security/page8 Quote Link to comment Share on other sites More sharing options...
tefuzz Posted April 26, 2009 Author Share Posted April 26, 2009 Maybe this will be of any help? http://www.phpfreaks.com/tutorial/php-security/page8 took a look at that, but the page you linked to shows about having some malicious code within a page. when pulled up by a user with permissions it executes. should I be using something like $_SERVER['HTTP_REFERER'] to check? basically, if the token is set, but the referer is not my site, i can show them a session error or something? but looking at the PHP manula it says HTTP_REFERER "...This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted..." any ideas? Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted April 26, 2009 Share Posted April 26, 2009 Don't rely on the referrer. It's better to set a token like that and check it on the subsequent request. Quote Link to comment Share on other sites More sharing options...
tefuzz Posted April 26, 2009 Author Share Posted April 26, 2009 that's what I am doing, but even if I leave the page and come back, it still keeps the session going and my values are still there... Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted April 26, 2009 Share Posted April 26, 2009 Of course it keeps the session going. That's what it's meant to do. Unless you overwrite the value or delete the value, it will persist along several requests as designed. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.