session token not matching with form submit. Need new pair of eyes to look at it.

helloworld001 · August 21, 2015

I need new pair of eyes to look at this and tell me what's wrong with it.

All I am trying to do is have a simple form that submits data to database. It works without the "token". With the token code added, it won't let process. I even did var_dump and the session and the $_post code doesn't match.

Here's the code. Btw, session_start() and the database connection are in the init.php file.

<?php require_once 'init.php';

$token = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
$_SESSION['token'] = $token;
		
if(isset($_POST['register'], $_POST['token'])) {
	
	if($_POST['token'] === $_SESSION['token']) {
	
		$email 		 	 = trim($_POST['email']);
		$password	 	 = trim($_POST['password']);
		
		if(empty($email)) {
							
			$error = 'Email is required!';
			
		} else if(empty($password)) {
		
			$error = 'Password is required!';
			
		} else if(strlen($password) < 6) {
		
			$error = 'Password must be at least 6 characters long!';
		
		} else {
							
			$findUser = $db->prepare("SELECT email FROM users WHERE email = :email");
			$findUser->bindParam(':email', $email);
			$findUser->execute();
			$resultFind = $findUser->fetchAll(PDO::FETCH_ASSOC);
			if(count($resultFind) > 0) {
			
				$error = 'The email already exists! Please try a different email!';
			
			} else {
			
				//Hash the password as we do NOT want to store our passwords in plain text.
				$passwordHash = password_hash($passward, PASSWORD_BCRYPT, array("cost" => 12));
				
				$insertUser = $db->prepare("INSERT INTO users(email, password) VALUES(:email, :password)");
				$insertUser->bindParam(':email', $email);
				$insertUser->bindParam(':password', $passwordHash);
				$resultInsert = $insertUser->execute();
				if($resultInsert == false) {
				
				
					$error = 'There was a problem creating your account. Please try again later!';
				
				} else {
				
					$success = 'Your account has been created.';
					unset($_SESSION['token']);
				}
			
			}
			
		}
   } else {
   
	$error = 'The tokens do not match!';
	
   }
	
}

?>

<h1>Sign up</h1>
<form action="" method="post">
	<fieldset>
		<input type="email" name="email" value="<?php echo $email; ?>" placeholder="Email" />
	</fieldset>
	<fieldset>
		<input type="password" name="password" placeholder="Password" />
	</fieldset>
	<fieldset>
		<input type="hidden" name="token" value="<?php echo $token; ?>" />
		<input type="submit" name="register" value="Sign up" />
	</fieldset>
</form>

QuickOldCar · August 21, 2015

The $_SESSION['token'] always a new random, I added a check..

You also had a typo on $password as $passward

<?php
require_once 'init.php';

if(!isset($_SESSION['token'])){
$_SESSION['token'] = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
}

if(isset($_POST['register'], $_POST['token'])) {
    
    if($_POST['token'] === $_SESSION['token']) {
    
        $email               = trim($_POST['email']);
        $password          = trim($_POST['password']);
        
        if(empty($email)) {
                            
            $error = 'Email is required!';
            
        } else if(empty($password)) {
        
            $error = 'Password is required!';
            
        } else if(strlen($password) < 6) {
        
            $error = 'Password must be at least 6 characters long!';
        
        } else {
                            
            $findUser = $db->prepare("SELECT email FROM users WHERE email = :email");
            $findUser->bindParam(':email', $email);
            $findUser->execute();
            $resultFind = $findUser->fetchAll(PDO::FETCH_ASSOC);
            if(count($resultFind) > 0) {
            
                $error = 'The email already exists! Please try a different email!';
            
            } else {
            
                //Hash the password as we do NOT want to store our passwords in plain text.
                $passwordHash = password_hash($password, PASSWORD_BCRYPT, array("cost" => 12));
                
                $insertUser = $db->prepare("INSERT INTO users(email, password) VALUES(:email, :password)");
                $insertUser->bindParam(':email', $email);
                $insertUser->bindParam(':password', $passwordHash);
                $resultInsert = $insertUser->execute();
                if($resultInsert == false) {
                
                
                    $error = 'There was a problem creating your account. Please try again later!';
                
                } else {
                
                    $success = 'Your account has been created.';
                    unset($_SESSION['token']);
                }
            
            }
            
        }
   } else {
   
    $error = 'The tokens do not match!';
    
   }
    
}

?>

<h1>Sign up</h1>
<form action="" method="post">
    <fieldset>
        <input type="email" name="email" value="<?php echo $email; ?>" placeholder="Email" />
    </fieldset>
    <fieldset>
        <input type="password" name="password" placeholder="Password" />
    </fieldset>
    <fieldset>
        <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>" />
        <input type="submit" name="register" value="Sign up" />
    </fieldset>
</form>

mac_gyver · August 21, 2015

producing the token is part of the code that produces the output on the page and outputs the form. you have it before the start of the form processing code, so it (re)generates a token when the form is submitted and the value being used in the form processing code is a newly generated value, not the value that was generated at the time the form was produced. put the token generation logic after the form processing code, and before the form code.

helloworld001 · August 21, 2015

The $_SESSION['token'] always a new random, I added a check..

You also had a typo on $password as $passward

<?php
require_once 'init.php';

if(!isset($_SESSION['token'])){
$_SESSION['token'] = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
}

if(isset($_POST['register'], $_POST['token'])) {
    
    if($_POST['token'] === $_SESSION['token']) {
    
        $email               = trim($_POST['email']);
        $password          = trim($_POST['password']);
        
        if(empty($email)) {
                            
            $error = 'Email is required!';
            
        } else if(empty($password)) {
        
            $error = 'Password is required!';
            
        } else if(strlen($password) < 6) {
        
            $error = 'Password must be at least 6 characters long!';
        
        } else {
                            
            $findUser = $db->prepare("SELECT email FROM users WHERE email = :email");
            $findUser->bindParam(':email', $email);
            $findUser->execute();
            $resultFind = $findUser->fetchAll(PDO::FETCH_ASSOC);
            if(count($resultFind) > 0) {
            
                $error = 'The email already exists! Please try a different email!';
            
            } else {
            
                //Hash the password as we do NOT want to store our passwords in plain text.
                $passwordHash = password_hash($password, PASSWORD_BCRYPT, array("cost" => 12));
                
                $insertUser = $db->prepare("INSERT INTO users(email, password) VALUES(:email, :password)");
                $insertUser->bindParam(':email', $email);
                $insertUser->bindParam(':password', $passwordHash);
                $resultInsert = $insertUser->execute();
                if($resultInsert == false) {
                
                
                    $error = 'There was a problem creating your account. Please try again later!';
                
                } else {
                
                    $success = 'Your account has been created.';
                    unset($_SESSION['token']);
                }
            
            }
            
        }
   } else {
   
    $error = 'The tokens do not match!';
    
   }
    
}

?>

<h1>Sign up</h1>
<form action="" method="post">
    <fieldset>
        <input type="email" name="email" value="<?php echo $email; ?>" placeholder="Email" />
    </fieldset>
    <fieldset>
        <input type="password" name="password" placeholder="Password" />
    </fieldset>
    <fieldset>
        <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>" />
        <input type="submit" name="register" value="Sign up" />
    </fieldset>
</form>

Ahh yes I see what you did there. It works. The only thing is that it doesn't work with "mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)". But if I try "uniqid()", then it'll work. Is there anything else I can use to make it more secure?

helloworld001 · August 21, 2015

producing the token is part of the code that produces the output on the page and outputs the form. you have it before the start of the form processing code, so it (re)generates a token when the form is submitted and the value being used in the form processing code is a newly generated value, not the value that was generated at the time the form was produced. put the token generation logic after the form processing code, and before the form code.

That makes sense. It works now. Thanks.

Sign In

session token not matching with form submit. Need new pair of eyes to look at it.

Recommended Posts

helloworld001

Link to comment

Share on other sites

QuickOldCar

Link to comment

Share on other sites

mac_gyver

Link to comment

Share on other sites

helloworld001

Link to comment

Share on other sites

helloworld001

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information