Connecting Tech Pros Worldwide Forums | Help | Site Map
bytes > topic > php > answers

Session token

Lan Mind
Guest
  
Posts: n/a
#1: Oct 3 '08
Hello again everybody,

My page: http://www.dockhawk.com/

I'm trying to implement some "session security" PHP script
mentioned in the "Cross-site request forgery" section of this
tutorials (pdf): http://daniel0.net/phpfreaks_tutoria...p_security.pdf

I was trying to figure out if it was functioning by putting a value in
the hidden input that won't be equal to the session token. The hidden
input is in my default.html page inside the <div id="search_form">.

So as the value is wrong the PHP should return "Invalid Token" but
it's not. In earlier testing I had taken away the not "!" in the PHP
and left the hidden input's value as "<?php echo $_SESSION['token'] ?
Quote:
>" and the PHP did return "Invalid Token" as it should have.
It seems the "!" isn't working, I'm not sure. Thank you for your time,
here is the PHP:

<?php

if ($_GET['token'] !== $_SESSION['token']) {
die('Invalid token');

}

$keyword=$_GET["name"];

require("dockhawk_dbinfo.php");

function parseToXML($htmlStr)
{
$xmlStr=str_replace('<','&lt;',$htmlStr);
$xmlStr=str_replace('>','&gt;',$xmlStr);
$xmlStr=str_replace('"','&quot;',$xmlStr);
$xmlStr=str_replace("'",''',$xmlStr);
$xmlStr=str_replace("&",'&amp;',$xmlStr);
return $xmlStr;

}

// Opens a connection to a MySQL server
$connection=mysql_connect ($hostname, $username, $password);
if (!$connection) {
die('Not connected : ' . mysql_error());

}

// Set the active MySQL database
$db_selected = mysql_select_db($database, $connection);
if (!$db_selected) {
die ('Can\'t use db : ' . mysql_error());

}

// Select all the rows in the markers table
$query = "SELECT * FROM markers WHERE MATCH(operator, name, waterway)
AGAINST ('$keyword') LIMIT 0, 25";
$result = mysql_query($query);
if (!$result) {
die('Invalid query: ' . mysql_error());

}

header("Content-type: text/xml");

// Start XML file, echo parent node
echo '<markers>';

// Iterate through the rows, printing XML nodes for each
while ($row = @mysql_fetch_assoc($result)){
// ADD TO XML DOCUMENT NODE
echo '<marker ';
echo 'operator="' . parseToXML($row['operator']) . '" ';
echo 'name="' . parseToXML($row['name']) . '" ';
echo 'waterway="' . parseToXML($row['waterway']) . '" ';
echo 'mile="' . parseToXML($row['mile']) . '" ';
echo 'address="' . parseToXML($row['address']) . '" ';
echo 'town="' . parseToXML($row['town']) . '" ';
echo 'state="' . parseToXML($row['state']) . '" ';
echo 'lat="' . $row['lat'] . '" ';
echo 'lng="' . $row['lng'] . '" ';
echo 'county="' . parseToXML($row['county']) . '" ';
echo '/>';

}

// End XML file
echo '</markers>';

?>

C. (http://symcbean.blogspot.com/)
Guest
  
Posts: n/a
#2: Oct 5 '08

re: Session token

On 3 Oct, 20:04, Lan Mind <LANMIN...@gmail.comwrote:
Quote:
Hello again everybody,
>
My page:http://www.dockhawk.com/
>
I'm trying to implement some "session security" PHP script
mentioned in the "Cross-site request forgery" section of this
tutorials (pdf):http://daniel0.net/phpfreaks_tutoria...p_security.pdf
>
I was trying to figure out if it was functioning by putting a value in
the hidden input that won't be equal to the session token. The hidden
input is in my default.html page inside the <div id="search_form">.
>
So as the value is wrong the PHP should return "Invalid Token" but
it's not. In earlier testing I had taken away the not "!" in the PHP
and left the hidden input's value as "<?php echo $_SESSION['token'] ?
>
Quote:
" and the PHP did return "Invalid Token" as it should have.
>
It seems the "!" isn't working, I'm not sure. Thank you for your time,
here is the PHP:
>
<?php
>
if ($_GET['token'] !== $_SESSION['token']) {
die('Invalid token');
>
}
>
$keyword=$_GET["name"];
>
require("dockhawk_dbinfo.php");
>
function parseToXML($htmlStr)
{
$xmlStr=str_replace('<','&lt;',$htmlStr);
$xmlStr=str_replace('>','&gt;',$xmlStr);
$xmlStr=str_replace('"','&quot;',$xmlStr);
$xmlStr=str_replace("'",''',$xmlStr);
$xmlStr=str_replace("&",'&amp;',$xmlStr);
return $xmlStr;
>
}
>
// Opens a connection to a MySQL server
$connection=mysql_connect ($hostname, $username, $password);
if (!$connection) {
die('Not connected : ' . mysql_error());
>
}
>
// Set the active MySQL database
$db_selected = mysql_select_db($database, $connection);
if (!$db_selected) {
die ('Can\'t use db : ' . mysql_error());
>
}
>
// Select all the rows in the markers table
$query = "SELECT * FROM markers WHERE MATCH(operator, name, waterway)
AGAINST ('$keyword') LIMIT 0, 25";
$result = mysql_query($query);
if (!$result) {
die('Invalid query: ' . mysql_error());
>
}
>
header("Content-type: text/xml");
>
// Start XML file, echo parent node
echo '<markers>';
>
// Iterate through the rows, printing XML nodes for each
while ($row = @mysql_fetch_assoc($result)){
// ADD TO XML DOCUMENT NODE
echo '<marker ';
echo 'operator="' . parseToXML($row['operator']) . '" ';
echo 'name="' . parseToXML($row['name']) . '" ';
echo 'waterway="' . parseToXML($row['waterway']) . '" ';
echo 'mile="' . parseToXML($row['mile']) . '" ';
echo 'address="' . parseToXML($row['address']) . '" ';
echo 'town="' . parseToXML($row['town']) . '" ';
echo 'state="' . parseToXML($row['state']) . '" ';
echo 'lat="' . $row['lat'] . '" ';
echo 'lng="' . $row['lng'] . '" ';
echo 'county="' . parseToXML($row['county']) . '" ';
echo '/>';
>
}
>
// End XML file
echo '</markers>';
>
?>
You've:
1) failed to illustrate the problem
2) not included have the code required for the transaction (i.e. the
page where $_SESSION['token'] is initialized
3) included lots of code which is nothing to do with the problem you
describe
4) apparently never instrumented the code to see why it is behaving
this way

Did you stop to think about the implications of your assertion that
'the "!" isn't working' ? You didn't think that if this were the case
then maybe someone else might have noticed this critical defect in one
of the most popular programming languages for web dev?

Go back to the drawing board - replace the above code with:

<?php

print "I got [" . $_GET['token'] . "] and the stored version is [" .
$_SESSION['token'] . "]<br />";
if ($_GET['token'] !== $_SESSION['token']) {
print "they don't match";
} else {
print "they are the same";
}

?>

- I think you'll find the answer is quite obvious.

C.
Rik Wasmus
Guest
  
Posts: n/a
#3: Oct 22 '08

re: Session token

On Fri, 03 Oct 2008 21:04:41 +0200, Lan Mind <LANMIND01@gmail.comwrote:
Quote:
Hello again everybody,
>
My page: http://www.dockhawk.com/
>
I'm trying to implement some "session security" PHP script
mentioned in the "Cross-site request forgery" section of this
tutorials (pdf):
http://daniel0.net/phpfreaks_tutoria...p_security.pdf
1) Never, never, never use a GET for an alteration, GET is for
presentation of data, possibly you can do some statistical logging, but
that's it.
2) If you're still concerned about unknowingly posting (instead of
getting) from another site, you can (besides of course making the session
cookie httponly) add a temporary hidden post value in your 'alteration
form', in the form of a random string which is whitelisted in your current
session. On a request, refuse to do an action if the hash doesn't match
the current (or one of the several) whitelisted strings.

Of course, you employ other security measures as using HTTPS instead of
HTTP, etc. etc.
Quote:
I was trying to figure out if it was functioning by putting a value in
the hidden input that won't be equal to the session token. The hidden
input is in my default.html page inside the <div id="search_form">.
>
So as the value is wrong the PHP should return "Invalid Token" but
it's not. In earlier testing I had taken away the not "!" in the PHP
and left the hidden input's value as "<?php echo $_SESSION['token'] ?
Quote:
>" and the PHP did return "Invalid Token" as it should have.
>
It seems the "!" isn't working, I'm not sure. Thank you for your time,
here is the PHP:
>
<?php
Perhaps a missing:
session_start();

(var_dump($_GET,$_SESSION); when in doubt)

.... and if so, when concerned with security, I sincerely hope you _check_
the $_SESSION for a valid login on _every_ page?
Quote:
if ($_GET['token'] !== $_SESSION['token']) {
die('Invalid token');
>
}
This function we usually call htmlspecialchars($string,ENT_QUOTES);
Quote:
function parseToXML($htmlStr)
{
$xmlStr=str_replace('<','&lt;',$htmlStr);
$xmlStr=str_replace('>','&gt;',$xmlStr);
$xmlStr=str_replace('"','&quot;',$xmlStr);
$xmlStr=str_replace("'",''',$xmlStr);
$xmlStr=str_replace("&",'&amp;',$xmlStr);
return $xmlStr;
>
}

And I can't see a further creation of the $_GET variable in any URL the
user will visit (link, target, etc.), so there's no way of knowing for us
wether there's a fault there.
--
Rik Wasmus
Closed Thread

« previous question | next question »

Similar PHP bytes

/bytes/development

/bytes/it

Forums
Visit our community forums for general discussions and latest on Bytes

Our staff and community areas have moved to bytes.com/forums/

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,510 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved