By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,746 Members | 1,928 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,746 IT Pros & Developers. It's quick & easy.

Session token

P: n/a
Hello again everybody,

My page: http://www.dockhawk.com/

I'm trying to implement some "session security" PHP script
mentioned in the "Cross-site request forgery" section of this
tutorials (pdf): http://daniel0.net/phpfreaks_tutoria...p_security.pdf

I was trying to figure out if it was functioning by putting a value in
the hidden input that won't be equal to the session token. The hidden
input is in my default.html page inside the <div id="search_form">.

So as the value is wrong the PHP should return "Invalid Token" but
it's not. In earlier testing I had taken away the not "!" in the PHP
and left the hidden input's value as "<?php echo $_SESSION['token'] ?
>" and the PHP did return "Invalid Token" as it should have.
It seems the "!" isn't working, I'm not sure. Thank you for your time,
here is the PHP:

<?php

if ($_GET['token'] !== $_SESSION['token']) {
die('Invalid token');

}

$keyword=$_GET["name"];

require("dockhawk_dbinfo.php");

function parseToXML($htmlStr)
{
$xmlStr=str_replace('<','&lt;',$htmlStr);
$xmlStr=str_replace('>','&gt;',$xmlStr);
$xmlStr=str_replace('"','&quot;',$xmlStr);
$xmlStr=str_replace("'",''',$xmlStr);
$xmlStr=str_replace("&",'&amp;',$xmlStr);
return $xmlStr;

}

// Opens a connection to a MySQL server
$connection=mysql_connect ($hostname, $username, $password);
if (!$connection) {
die('Not connected : ' . mysql_error());

}

// Set the active MySQL database
$db_selected = mysql_select_db($database, $connection);
if (!$db_selected) {
die ('Can\'t use db : ' . mysql_error());

}

// Select all the rows in the markers table
$query = "SELECT * FROM markers WHERE MATCH(operator, name, waterway)
AGAINST ('$keyword') LIMIT 0, 25";
$result = mysql_query($query);
if (!$result) {
die('Invalid query: ' . mysql_error());

}

header("Content-type: text/xml");

// Start XML file, echo parent node
echo '<markers>';

// Iterate through the rows, printing XML nodes for each
while ($row = @mysql_fetch_assoc($result)){
// ADD TO XML DOCUMENT NODE
echo '<marker ';
echo 'operator="' . parseToXML($row['operator']) . '" ';
echo 'name="' . parseToXML($row['name']) . '" ';
echo 'waterway="' . parseToXML($row['waterway']) . '" ';
echo 'mile="' . parseToXML($row['mile']) . '" ';
echo 'address="' . parseToXML($row['address']) . '" ';
echo 'town="' . parseToXML($row['town']) . '" ';
echo 'state="' . parseToXML($row['state']) . '" ';
echo 'lat="' . $row['lat'] . '" ';
echo 'lng="' . $row['lng'] . '" ';
echo 'county="' . parseToXML($row['county']) . '" ';
echo '/>';

}

// End XML file
echo '</markers>';

?>
Oct 3 '08 #1
Share this Question
Share on Google+
2 Replies


P: n/a
On 3 Oct, 20:04, Lan Mind <LANMIN...@gmail.comwrote:
Hello again everybody,

My page:http://www.dockhawk.com/

I'm trying to implement some "session security" PHP script
mentioned in the "Cross-site request forgery" section of this
tutorials (pdf):http://daniel0.net/phpfreaks_tutoria...p_security.pdf

I was trying to figure out if it was functioning by putting a value in
the hidden input that won't be equal to the session token. The hidden
input is in my default.html page inside the <div id="search_form">.

So as the value is wrong the PHP should return "Invalid Token" but
it's not. In earlier testing I had taken away the not "!" in the PHP
and left the hidden input's value as "<?php echo $_SESSION['token'] ?
" and the PHP did return "Invalid Token" as it should have.

It seems the "!" isn't working, I'm not sure. Thank you for your time,
here is the PHP:

<?php

if ($_GET['token'] !== $_SESSION['token']) {
die('Invalid token');

}

$keyword=$_GET["name"];

require("dockhawk_dbinfo.php");

function parseToXML($htmlStr)
{
$xmlStr=str_replace('<','&lt;',$htmlStr);
$xmlStr=str_replace('>','&gt;',$xmlStr);
$xmlStr=str_replace('"','&quot;',$xmlStr);
$xmlStr=str_replace("'",''',$xmlStr);
$xmlStr=str_replace("&",'&amp;',$xmlStr);
return $xmlStr;

}

// Opens a connection to a MySQL server
$connection=mysql_connect ($hostname, $username, $password);
if (!$connection) {
die('Not connected : ' . mysql_error());

}

// Set the active MySQL database
$db_selected = mysql_select_db($database, $connection);
if (!$db_selected) {
die ('Can\'t use db : ' . mysql_error());

}

// Select all the rows in the markers table
$query = "SELECT * FROM markers WHERE MATCH(operator, name, waterway)
AGAINST ('$keyword') LIMIT 0, 25";
$result = mysql_query($query);
if (!$result) {
die('Invalid query: ' . mysql_error());

}

header("Content-type: text/xml");

// Start XML file, echo parent node
echo '<markers>';

// Iterate through the rows, printing XML nodes for each
while ($row = @mysql_fetch_assoc($result)){
// ADD TO XML DOCUMENT NODE
echo '<marker ';
echo 'operator="' . parseToXML($row['operator']) . '" ';
echo 'name="' . parseToXML($row['name']) . '" ';
echo 'waterway="' . parseToXML($row['waterway']) . '" ';
echo 'mile="' . parseToXML($row['mile']) . '" ';
echo 'address="' . parseToXML($row['address']) . '" ';
echo 'town="' . parseToXML($row['town']) . '" ';
echo 'state="' . parseToXML($row['state']) . '" ';
echo 'lat="' . $row['lat'] . '" ';
echo 'lng="' . $row['lng'] . '" ';
echo 'county="' . parseToXML($row['county']) . '" ';
echo '/>';

}

// End XML file
echo '</markers>';

?>
You've:
1) failed to illustrate the problem
2) not included have the code required for the transaction (i.e. the
page where $_SESSION['token'] is initialized
3) included lots of code which is nothing to do with the problem you
describe
4) apparently never instrumented the code to see why it is behaving
this way

Did you stop to think about the implications of your assertion that
'the "!" isn't working' ? You didn't think that if this were the case
then maybe someone else might have noticed this critical defect in one
of the most popular programming languages for web dev?

Go back to the drawing board - replace the above code with:

<?php

print "I got [" . $_GET['token'] . "] and the stored version is [" .
$_SESSION['token'] . "]<br />";
if ($_GET['token'] !== $_SESSION['token']) {
print "they don't match";
} else {
print "they are the same";
}

?>

- I think you'll find the answer is quite obvious.

C.
Oct 5 '08 #2

P: n/a
On Fri, 03 Oct 2008 21:04:41 +0200, Lan Mind <LA*******@gmail.comwrote:
Hello again everybody,

My page: http://www.dockhawk.com/

I'm trying to implement some "session security" PHP script
mentioned in the "Cross-site request forgery" section of this
tutorials (pdf):
http://daniel0.net/phpfreaks_tutoria...p_security.pdf
1) Never, never, never use a GET for an alteration, GET is for
presentation of data, possibly you can do some statistical logging, but
that's it.
2) If you're still concerned about unknowingly posting (instead of
getting) from another site, you can (besides of course making the session
cookie httponly) add a temporary hidden post value in your 'alteration
form', in the form of a random string which is whitelisted in your current
session. On a request, refuse to do an action if the hash doesn't match
the current (or one of the several) whitelisted strings.

Of course, you employ other security measures as using HTTPS instead of
HTTP, etc. etc.
I was trying to figure out if it was functioning by putting a value in
the hidden input that won't be equal to the session token. The hidden
input is in my default.html page inside the <div id="search_form">.

So as the value is wrong the PHP should return "Invalid Token" but
it's not. In earlier testing I had taken away the not "!" in the PHP
and left the hidden input's value as "<?php echo $_SESSION['token'] ?
>" and the PHP did return "Invalid Token" as it should have.

It seems the "!" isn't working, I'm not sure. Thank you for your time,
here is the PHP:

<?php
Perhaps a missing:
session_start();

(var_dump($_GET,$_SESSION); when in doubt)

.... and if so, when concerned with security, I sincerely hope you _check_
the $_SESSION for a valid login on _every_ page?
if ($_GET['token'] !== $_SESSION['token']) {
die('Invalid token');

}
This function we usually call htmlspecialchars($string,ENT_QUOTES);
function parseToXML($htmlStr)
{
$xmlStr=str_replace('<','&lt;',$htmlStr);
$xmlStr=str_replace('>','&gt;',$xmlStr);
$xmlStr=str_replace('"','&quot;',$xmlStr);
$xmlStr=str_replace("'",''',$xmlStr);
$xmlStr=str_replace("&",'&amp;',$xmlStr);
return $xmlStr;

}

And I can't see a further creation of the $_GET variable in any URL the
user will visit (link, target, etc.), so there's no way of knowing for us
wether there's a fault there.
--
Rik Wasmus
Oct 22 '08 #3

This discussion thread is closed

Replies have been disabled for this discussion.