form tokens

[superaktieboy]

I have noticed that many websites and php software generate a random token and put it in a hidden form field to be sent to the php page that gets the form. I was just wondering, if anyone knows how this makes a php script more secure? And is it worth it to put this in my application?

I have read up a few tutorials on this, but it doesn't specifically say why this is more secure than not having it. The only reason I could find is that it helps making sure you don't make duplicate form submissions, however, I have always gone around this through by redirecting the user to a page saying the form was submitted successfully.

Cheers for your help.

[AbraCadaver]

Tokens "may" help against cross site request forgeries, but I mainly use them to deter automated spam bots that submit spam and possibly malicious code to forms processing pages.

 

You may have already seen this, but it outlines the CSRF and there are some automated form submission comments below: http://shiflett.org/articles/cross-site-request-forgeries

[monkeytooth]

Security is always something good to impliment in anything on any website the has user driven data, whether its a contact form that just emails you, or a form that stores data in a database. If your giving your users the ability to type anything anywhere (even in the URL ie: ?id=blah) you want to authenticate them and secure them.

 

The tokens your speaking of are generally speaking aren't needed unless you are passing data that needs a form of confirmation. Example lets say I have a small paypal button on my site and set prices on something. I will create an MD5 sha1 encrypted hash based on the price, item number, and a couple other variables, variables I can generate on my end that are able to be regenerated again but not from things like sessions, post, get, request, or cookies, cause those aren't fool proof, as again they can be altered on the user end or through XSS attacks. So anyway I send this hash/token to paypal via hidden element that paypal will pass back to my thank you page. That on my thank you page I can revalidate that hash/token by recreating it on my end and then verify that against the other things paypal sends back to the thank you page. Such as the item price they processed on there end.

 

Again this is just an example of what I would use a token for.. but generally other than where a user can take data and manipulate it where it matters such as a payment system, a score tracking system on a game, or other things that need to be reverified time and time again between user end and server side to ensure the integrity of the data is not being manipulated to get a super cheap price on an item or boost ones score through the roof... I don't really see much of a point to using tokens/hashes so long as you are validating your data in your forms so someone can't break your script and inject there code in. I'm sure some will aruge that but. This is me, my opinion. its been working for me. But then again I could have the concept of token useage completely wrong, and you may be wanting to do something entirely different. I just felt like putting my 2 cents in regardless though.

 

Based on above what I said if you want to create your own tokens. I would suggest creating a sha1 hash based on various confirmable variables that can be generated from the server side. example, username/id + unique hardcoded key (or 2) + a timestamp you would save in a cookie. then wrap that sha1 hash in a md5 hash.. Some may say its a bit redundant to wrap it in a md5, and just go with md5, however md5 is easy to crack and once you crack it you can reuse it and get the same results everytime. If you salt it with a sha1 hash you'll get an output that can only be verified through the same exact inputs, but wont get the same result every time for anything similar (but then again I am also applying the logic I use to generate stored user passwords in a database with with this last part)

 

Well I know I don't always make sense, specially when I am putting thoughts to forum. But I hope this helps somehow

[superaktieboy]

Thanks for your help, I think I won't be using it in my current project, but maybe in the next, either way, I now have a better idea of what it exactly is used for.

Thank you