PHP security not working

Bes · 8 Jul 2009 at 10:16

Hi,

I have a form which the user fills in and gets submitted to a PHP back end script which then does some fairly CPU- intensive activites.

To try and prevent an attacker from just constantly calling the back end script and perhaps bringing down my server, have the following code in my back end script:

PHP:

<?php

session_start();


    if( empty($_POST['token']) || $_POST['token'] != $_SESSION['token'] )
        die;


?>

And in my front- end form

PHP:

<?php
session_start();
$token = md5(uniqid(rand(), true));
$_SESSION['token'] = $token;
?>

<form method="post">
<stuff>

<input type="hidden" name="token" value="<?php echo $token; ?>" />

</form>

The problem is that this does not always work properly- especially it seems in Safari; the posted token and session token somehow do not always match (I am logging the output of these vars and can see it dying)

Now, 2 questions:

1) Do I even need this code?
2) Any ideas what is going on here?

Thanks

Bes · 8 Jul 2009 at 22:09

Thanks guys.... I THINK I want to stick with the way I am doing it if possible (if valid?) Can anyone else offer any more input?

Thanks

Bes · 9 Jul 2009 at 09:20

I have

PHP:

<?php
session_start();

In both files.

Bes · 9 Jul 2009 at 10:09

Not really- it just seems the FE and BE scripts are generating a totally seperate key somehow.... Whenever I refresh the page, I see these seperate keys in the logs...

Bes · 9 Jul 2009 at 10:11

This is my actual script (Top bit)

Front end

PHP:

<?php
session_start();
error_reporting(E_ALL^E_NOTICE);
ini_set('display_errors', 0);
ini_set('log_errors', 1);
ini_set('error_log', '/logs/InsideEdior_cs.txt');
$token = md5(uniqid(rand(), true));
$_SESSION['token'] = $token;

Back end

PHP:

<?php
session_start();
 
error_reporting(E_ALL^E_NOTICE);
ini_set('display_errors', 0);
ini_set('log_errors', 1);
ini_set('error_log', '/public_html/InsideEdior_ss.txt');
$fp = fopen('data.txt', 'w');
fwrite($fp, "Editor started....\n");
fwrite($fp, Print_r ($_SESSION));
fwrite($fp, "Post token is: ".$_POST['token']." Session token is: ".$_SESSION['token']."\n");
if( empty($_POST['token']) || $_POST['token'] != $_SESSION['token'] )
   {
   fwrite($fp, "Something is missing. About to die...\n");
     die; 
	}

Bes · 10 Jul 2009 at 09:45

Any ideas?

Thanks

Bes · 10 Jul 2009 at 18:36

yeah the top of my php files, but shows the actual code that is causing the problems in context.... I just posted it to check I am not doing anything obviously stupid/ wrong.

Thanks.