Hi all, thanks in advance for some help here...
I know the trick to generate a unique session token on a form page, echo that in a hidden field in a form, and then on the post page compare the two to see if they are the same to prevent form spoofing.
But what if the page is post-ing to itself instead of another? I don't know how to get around that in a "best practice" sort of way but am trying to find that info...
any pointers there with a tiny example please?
thanks again!
phpnoob
php noob wrote:I know the trick to generate a unique session token on a form page, echo that in a hidden field in a form, and then on the post page compare the two to see if they are the same to prevent form spoofing.
I am not in favour of this as I feel that it is more important to have proper input validation and complete mediation rather than to try and prevent people from writing their own forms and submitting them. After all, it is still possible to load and parse your form for the hidden field, and then incorporate that in the "custom" form and submit that one instead.
In my opinion, the real problem with form spoofing is the type where there is impersonation (i.e., phishing attacks), not where there is an alternative to the form that you provide.
php noob wrote:But what if the page is post-ing to itself instead of another?
Why would that make it any different?
I see... thanks for the feedback. It seemed pretty useless even to me to use the token scheme since it can be stuck in anyway just as you say, but is still mentioned as an option in some php security books...
specifically this snippet:
http://books.google.com/books?id=MUi_4hynSgoC&pg=PA28&dq=php+token+form+security#PPA27,M1
Why would that make it any different?
Because in that snippet example, if the token is generated on the form page then a new one would overwrite when POST-ing to itself and couldn't be compared to the one in form...
Any definitive php security book you could recommend? I now see some mediocre reviews of the one I mentioned in the link above...
thanks again! 
php noob wrote:I see... thanks for the feedback. It seemed pretty useless even to me to use the token scheme since it can be stuck in anyway just as you say, but is still mentioned as an option in some php security books...
specifically this snippet:
http://books.google.com/books?id=MUi...urity#PPA27,M1
Oh, Schiflett's idea is to use this to perform complete mediation: the user is verified as having the authority to submit the form due to the presence of the token in his/her session. This would be well and good.
php noob wrote:Because in that snippet example, if the token is generated on the form page then a new one would overwrite when POST-ing to itself and couldn't be compared to the one in form...
First process the form, and then generate the new token.
