sessions in forms not perfect?

digitalecartoon

I don't completely understand how to use session for securing a form script. This is what I've got now:

<?php
session_start();
$_SESSION["domino"] = true;
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
//rest of page showing flash movie

This sets the session upon visiting my site. When the form sends its data to the mailform.php:

<?php 
session_start(); 
if(!isset($_SESSION["domino"])){ 
//error message 'forbidden access' 
exit; 
} else { 
session_destroy(); 
unset ($_SESSION["domino"]); 
//rest of script: processing the form input 
}

This checks for the session-id. This should verify that the user sent the form through my website. According to tutorials and the use of sessions in mailforms anyway.

But I've found a way to bypass this. If I know the mailform is at www.test.com/mailform.php, I wouldn't get access to it accessing it directly. As it shouldn't. But when I know it's at www.test.com/mailform.php, all I have to to is type www.test.com (or www.test.com/index.php) to have the session set. Then I could do anything I want, visit other sites, whatever. As long as I don't close the browser. And finally, to abuse the mailform.php file, I just have to type in www.test.com/mailform.php and I get access, cause the session is still set. That way I could always make use of the php script even when I'm not supposed to. Am I using session not correctly? I thought session-id's should prevent such a thing?

Kudose

You should set a unique session variable like $SESSION['beenToMailPage'] on your form page ONLY and unset($SESSION['beenToMailPage']) on your form's processing page/area.

You could also use CAPTCHA.

digitalecartoon

Isn't that what I've done? Instead of your
$SESSION['beenToMailPage']
I'm using
$SESSION["domino"] = true;

and I've used unset:
unset ($_SESSION["domino"]);

and still my bypass is possible by first visiting my site and then accessing the mailform.php location directly

Kudose

You have to be setting domino on your landing page or some other page then.

Try using print_r($_SESSION) on every page to see where it gets set first. Try closing your browser first to clear the session data.

digitalecartoon

It IS set on my landing page. The landingpage, being index.php starts and sets the domino-session:

html

<?php
session_start();
$_SESSION["domino"] = true;
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
//rest of page showing flash movie

The php script which I want to secure checks for the domino session variable?

<?php
session_start();
if(!isset($_SESSION["domino"])){
//error message 'forbidden access'
exit;
} else {
session_destroy();
unset ($_SESSION["domino"]);
//rest of script: processing the form input
}

Kudose

Then it is doing what you tell it to ... not what you want it to do.

If you want people to have to use your form page, you need to set a session variable that is activated ONLY on that page and then unset it on all other pages.