Security with forms

hadoob024

I just finally got around to reading that article about PHP security in that Insecure security magazine. In the section "Attacks against client browsers", in the last paragraph, the author states the following:

"Adding randomly generated hidden tokens to forms is the best solution to this problem. In every PHP script which generates a form add a hidden variable containing a random value. Save this value temporarily, such as in $SESSION (which cannot be tampered with by the user) and then check the random value submitted in the form against the one contained in $SESSION. Since an attacker is highly unlikely to guess a the random value correctly if this value is sufficiently long, the form submitted is guaranteed to be the one from the client who requested it."

I was wondering if this is a good method to employ, and if so, how to actually go about doing so?

Rodney_H_

It is a good idea. Do you know how to create a hidden form element?

In the VALUE field, you echo the randomly generated number or value and collect it when processing the form.

So,

There are a number of different ways to actually generate the random value. Have a read here: http://us2.php.net/rand

hadoob024

Cool! Thanks. That does make sense. Yeah, I'm familiar with how to create a hidden form element like you showed. The only thing I'm not sure of is how to access the contents of the variable on the page that gets called as a result of submitting the form. Is it done in the same manner as other form elements? Like would I access your example using:

$_POST['name'];

Thanks again!

Rodney_H_

Yes. That is correct, hadoob024.

hadoob024

Great! Thanks a bunch. I'll be adding that to my site today. Thanks again...