Jump to content

Recommended Posts

Hi,

So I have a private page where I have a delete button.

 

The delete button just links to a page something like this: mysite.com/?postid=123&confirm=1 When confirm is set, the page is deleted.

The problem is, a malicious person could reverse engineer the URL and trick (logged in) users of the site into clicking the link.

 

How can I verify that the last page visited was from my site, in the private section?

 

Possible solutions:

 

I was thinking HTTP_REFERER (mispelled due to html standard stupidity), but heard it's not robust.

 

Right now I'm just setting a cookie for 1 minute, to limit the likelihood of hacking, but wonder if there is a better way.

 

 

Link to comment
https://forums.phpfreaks.com/topic/291080-making-a-secure-delete-button-best-way/
Share on other sites

First of all, using a GET request to change data is wrong. The HTTP specification clearly states that GET is only for fetching a resource and must not have any side effects. To change data, you use POST.

 

Fixing this does not solve the problem, but it already makes it less bad, because the user doesn't (accidentally) trigger an action merely by visiting URL.

 

The attack you describe is called cross-site request forgery (CSRF). To protect the user against CSRF, you generate a random token, store it in the user's session and include it in every critical form as a hidden field. Upon submission, you check if the token from the hidden field is present and matches the token in the session. If it is, you accept the request, otherwise you reject it.

 

The reason why this works is because other users cannot read the token, so they are not able to “forge” a request on behalf of that user. See the link for a more detailed explanation.

  • Like 1

If you're using Symfony 2 (or willing to switch) there is FOSUserBundle which is commonly used. It's not a drop-in ready system but it provides a solid base which you can use with fairly minimal configuration/coding required.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.