Ask a question    Sign Up Sign In
  1. Home
  2. php - Form spoofing and methods to solve it

967 votes
1 answers

php - Form spoofing and methods to solve it

Get the solution ↓↓↓

Solution:

You are effectively reinventing the wheel, since the token requires a valid session to validate and thus only repeats the security layer of sessions while not adding anything extra. It is the equivalent of asking for someone to enter their password in and then asking for it again to be sure. It may make everyone feel better, but if the password has been compromised, it only slows down the attack but doesn't prevent it.

This isn't to suggest that you shouldn't take these things seriously or to dismiss your attempts. It is my philosophy that the content of the form (What is passed in viaGET orPOST) should be separated from other logic, such as security and calculations, and that the server should not consider user-supplied data as anything other than user-supplied data. Ideally anyone could post anything to a forms action, and the server/controller will manage it correctly and consistently. The session is verified (security), the data is sanitized and then validated, and any values that are generated via JS when the user is actually using the web form is recalculated/verified. The response, ideally, is generic enough, either a redirect or web-standard response, so that the requester, be it a web browser, command line user, or web service can interpret it.

If the above were the case, there would be less emphasis and concern of spoofing, more emphasis on enhancing security layers and validation layers separately, and, best of all, the back-end controller that did this well could easily be ported/reused as a web service backend.

Long story short: Your solution isn't bad, it just isn't adding any real security as far as I can tell, and may even expose your back-end security logic. If you have a specific spoofing concern/threat, it would be better to address that use case and work your way out rather than try to come up with a one-size-fits all solution right away. It may turn out that your use cases have specific solutions/considerations that need to addressed at different points of the exchange.

13
votes

Answer

Solution:

Don't reinvent the wheel. If you're not using a web framework, integrate one of the myriad libraries that add CSRF protection to your project such as CSRF4PHP.

Your solution is close, but wouldn't work because the session ID would be scrapable by an attacker.

Write your answer



Share solution ↓

Additional Information:
Link To Source
People are also looking for solutions of the problem: trying to access array offset on value of type null

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Similar questions

Find the answer in similar questions on our website.

771 php - Solve PHP4 to PHP5 ugrade error
611 php - Symfony3 Form Error - A form with an empty name cannot have a parent form
410 php - Split a string by number of chars without splitting a word
906 php - the better method to store page hits in crowded site
780 php - S3 signed url not working through form submit
576 [PHP][MySQL] How to implement a title field for each selected file in an upload form?
204 php - Converting html site to static wordpress site
838 php - Exploit on HTTPS, how change https form value
551 Switching language while staying on the same page in PHP
847 php - Pagination, searching and sorting is not working in jquery datatable in codeigniter using ajax

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.





About the technologies asked in this question

PHP

PHP (from the English Hypertext Preprocessor - hypertext preprocessor) is a scripting programming language for developing web applications. Supported by most hosting providers, it is one of the most popular tools for creating dynamic websites. The PHP scripting language has gained wide popularity due to its processing speed, simplicity, cross-platform, functionality and distribution of source codes under its own license.
https://www.php.net/

Welcome to programmierfrage.com

programmierfrage.com is a question and answer site for professional web developers, programming enthusiasts and website builders. Site created and operated by the community. Together with you, we create a free library of detailed answers to any question on programming, web development, website creation and website administration.

Get answers to specific questions

Ask about the real problem you are facing. Describe in detail what you are doing and what you want to achieve.

Help Others Solve Their Issues

Our goal is to create a strong community in which everyone will support each other. If you find a question and know the answer to it, help others with your knowledge.