ajax - Can multiple submissions of PHP forms be effectively prevented with sessions without destroying the caching mechanism?
Get the solution ↓↓↓Lets say we have a certain endpoint in a Symfony CMS application for receiving form submissions (e.g. of a contact form). This endpoint sends a copy of the contact form contents to the E-Mail entered within the contact form.
As soon as an attacker finds out about how the endpoint works (which is pretty easy) he could just go behind the Captcha after validating it once and use the endpoint directly in order to send thousands of E-Mails using the sender address of the companys' mailserver (server side Captcha validation will help, but it is not a full answer to this question).
Therefore a mechanism is needed in order to prevent attackers from doing this - at least to easily. The first solution which came to my mind was tokens. The problem with tokens is that they do not play very well together with caching, implementing an ajax endpoint for tokens would just require an attacker to fetch a new token from the first endpoint and send it to the other endpoint among with new data.
So my idea is like this:
Create an ajax endpoint which creates a PHP session. It is called via JavaScript everytime a page with a form is opened (so there will be a PHP session whenever a form is submitted)
If the form is submitted and there is no valid session the server instantly returns an error after sending the form
The form ID will be saved within the session. On the server side it is validated if the form was sent by this user within e.g. the last two minutes and if yes, form processing is denied.
The
SessionService
class which doessession_start();
is only included in the ajax endpoint for creating sessions as well as in the ajax endpoint for form submissions. Therefore normal CMS pages can still be cached assession_start();
is never called.
Is there a serious issue with this kind of implementation or is it a good solution to the problem? If you see a problem how would you solve it instead?
Share solution ↓
Additional Information:
Link To Answer People are also looking for solutions of the problem: failed to create image decoder with message 'unimplemented'
Didn't find the answer?
Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.
Similar questions
Find the answer in similar questions on our website.
Write quick answer
Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.