anderson_catchme Posted September 15, 2014 Share Posted September 15, 2014 Hi, So I have a private page where I have a delete button. The delete button just links to a page something like this: mysite.com/?postid=123&confirm=1 When confirm is set, the page is deleted. The problem is, a malicious person could reverse engineer the URL and trick (logged in) users of the site into clicking the link. How can I verify that the last page visited was from my site, in the private section? Possible solutions: I was thinking HTTP_REFERER (mispelled due to html standard stupidity), but heard it's not robust. Right now I'm just setting a cookie for 1 minute, to limit the likelihood of hacking, but wonder if there is a better way. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted September 15, 2014 Share Posted September 15, 2014 First of all, using a GET request to change data is wrong. The HTTP specification clearly states that GET is only for fetching a resource and must not have any side effects. To change data, you use POST. Fixing this does not solve the problem, but it already makes it less bad, because the user doesn't (accidentally) trigger an action merely by visiting URL. The attack you describe is called cross-site request forgery (CSRF). To protect the user against CSRF, you generate a random token, store it in the user's session and include it in every critical form as a hidden field. Upon submission, you check if the token from the hidden field is present and matches the token in the session. If it is, you accept the request, otherwise you reject it. The reason why this works is because other users cannot read the token, so they are not able to “forge” a request on behalf of that user. See the link for a more detailed explanation. 1 Quote Link to comment Share on other sites More sharing options...
anderson_catchme Posted September 15, 2014 Author Share Posted September 15, 2014 Well what do you know, it's not just noobs, turns out my usermanagement script is vulnearble to this attack. However, this one isn't, supposedly: http://www.userfrosting.com/ Quote Link to comment Share on other sites More sharing options...
anderson_catchme Posted September 15, 2014 Author Share Posted September 15, 2014 Turns out user-frosting is extremely slow, at least on my end. Can anybody recommend a secure user-management script? I don't care if it isn't free. Quote Link to comment Share on other sites More sharing options...
kicken Posted September 15, 2014 Share Posted September 15, 2014 If you're using Symfony 2 (or willing to switch) there is FOSUserBundle which is commonly used. It's not a drop-in ready system but it provides a solid base which you can use with fairly minimal configuration/coding required. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.