[RESOLVED] POST Form Authentication

Pigmaster

Hello.

I am looking for a way to perform POST Form Authentication. ie I want to make sure that the data being posted is from my form ONLY and not from anywhere else.


<form id="form2" name="form2" method="post" action="">
  <p>
    <label>System Value
      <input type="text" name="Sysval" id="Sysval" />
    </label>
  </p>
  <p>
    <label>
      <input type="submit" name="Buton_Submit" id="Buton_Submit" value="Submit" />
    </label>
  </p>
</form>

The above is a simple form that will send the POST data to it's own page.

I first thought of using a simple hidden form element.

<input name="hiddenField" type="hidden" id="hiddenField" value="ItIsSecure" />

and on receiving the POST data PHP would check first that that if there was POST data then then check for the value of the hidden fiels. If the value is correct then it is authenticated.

However I feel this to be too lax as anybody could just look at the HTML page source to see the contents of the hidden field then use it to forge the form.

I thought that maybe using the server variable to check the referring page and if it is the correct page then form is authenticated however I am sure that someone could also forge this.

So, is there a good way to authenticate the POST data is from the correct form and not being forged in some way.

Any help would be good.

bradgrafelman

Pigmaster;10944214 wrote:
I thought that maybe using the server variable to check the referring page and if it is the correct page then form is authenticated however I am sure that someone could also forge this.

You are correct; not only is the REFERER header not even required (meaning you shouldn't depend on its presence), but it's a client-side header, meaning it can be forged/altered to whatever the end user would like it to be.

Pigmaster;10944214 wrote:
So, is there a good way to authenticate the POST data is from the correct form and not being forged in some way.

Is there a completely foolproof way? IMHO, no, there is no way you can be 100% sure that the data was posted from your form.

You could, however, try using a session; when the user first visits the login page, start a session and set some flag (e.g. set "login_page" to TRUE in the session). That way, when you process the POST'ed data, you would first check for the presence of that session variable before processing the data.

Note that this could still be fooled, however.

EDIT: Perhaps there is a better way to ensure security, though. Why is it that you want to accomplish this in the first place?

djjjozsi

Using a captcha would make this form more secure, If you wanted to stop automated scripts.

Pigmaster

djjjozsi;10944294 wrote:
Using a captcha would make this form more secure, If you wanted to stop automated scripts.

Thanks djjjozsi, though it's not really about stopping automated scripts but more of making sure that the data being POSTed is from the actual form on the site and not via some hack forging data.

Pigmaster

bradgrafelman;10944258 wrote:
Note that this could still be fooled, however.

EDIT: Perhaps there is a better way to ensure security, though. Why is it that you want to accomplish this in the first place?

Thanks bradgrafelman, I agree with most things being fooled.

Now onto why!

I am just writing a page update for one of my sites (Adding a simple blogging page) and doing a little research before hand I wanted to see if there was a secure way of passing POSTed data to the php backend from forms.

All the data is is validated and sanitized before PHP gets working on the POSTed data but I just wanted to be secure in my programming method.

bradgrafelman

Ah, I see. Well as long as you've made sure that you're sanitizing all user-supplied data, there's only so much you can do beyond that.

Adding a session variable check and a CAPTCHA well at least fool simple automated scripts, but there's simply no way to ensure the integrity of the form itself. For example, there's a plugin for FireFox that allows you to modify the HTML of the page you're viewing and have the changes affect the page in realtime, so you could modify/add form elements on-the-fly before submitting it.