PHP security not working

Bes · 8 Jul 2009 at 10:16

Hi,

I have a form which the user fills in and gets submitted to a PHP back end script which then does some fairly CPU- intensive activites.

To try and prevent an attacker from just constantly calling the back end script and perhaps bringing down my server, have the following code in my back end script:

PHP:

<?php

session_start();


    if( empty($_POST['token']) || $_POST['token'] != $_SESSION['token'] )
        die;


?>

And in my front- end form

PHP:

<?php
session_start();
$token = md5(uniqid(rand(), true));
$_SESSION['token'] = $token;
?>

<form method="post">
<stuff>

<input type="hidden" name="token" value="<?php echo $token; ?>" />

</form>

The problem is that this does not always work properly- especially it seems in Safari; the posted token and session token somehow do not always match (I am logging the output of these vars and can see it dying)

Now, 2 questions:

1) Do I even need this code?
2) Any ideas what is going on here?

Thanks

rsatd · 8 Jul 2009 at 10:29

Bes said:
Hi,
I have a form which the user fills in and gets submitted to a PHP back end script which then does some fairly CPU- intensive activites.

To try and prevent an attacker from just constantly calling the back end script and perhaps bringing down my server

I am not quiet sure how sessions work, however I am pretty sure you can clear currently sessions in a broweser and request a new one. So what is stopping someone using netcat and just close sessions immediately after spawning your back end script?

Depending on the website, I would be tempted to limit simultanious conenctions per ip instead perhaps?

LiE · 8 Jul 2009 at 19:53

You could store the current time that the form is submitted in the session then test in the back-end script how long since the first submission.

Bes · 8 Jul 2009 at 22:09

Thanks guys.... I THINK I want to stick with the way I am doing it if possible (if valid?) Can anyone else offer any more input?

Thanks

Beansprout · 8 Jul 2009 at 23:22

Are you sure there is zero whitespace/content/anythingwhatsoever between your <?php and the top of your file? There can be absolutely no output whatsoever before session_start() - not even a blank line at the top of the file.

Bes · 9 Jul 2009 at 09:20

I have

PHP:

<?php
session_start();

In both files.

st00dent · 9 Jul 2009 at 09:34

Does there seem to be any pattern as to when it does not work? For example, when you press the back button and submit the form a second time as opposed to pressing F5 and starting the whole process from scratch?

Bes · 9 Jul 2009 at 10:09

Not really- it just seems the FE and BE scripts are generating a totally seperate key somehow.... Whenever I refresh the page, I see these seperate keys in the logs...

Bes · 9 Jul 2009 at 10:11

This is my actual script (Top bit)

Front end

PHP:

<?php
session_start();
error_reporting(E_ALL^E_NOTICE);
ini_set('display_errors', 0);
ini_set('log_errors', 1);
ini_set('error_log', '/logs/InsideEdior_cs.txt');
$token = md5(uniqid(rand(), true));
$_SESSION['token'] = $token;

Back end

PHP:

<?php
session_start();
 
error_reporting(E_ALL^E_NOTICE);
ini_set('display_errors', 0);
ini_set('log_errors', 1);
ini_set('error_log', '/public_html/InsideEdior_ss.txt');
$fp = fopen('data.txt', 'w');
fwrite($fp, "Editor started....\n");
fwrite($fp, Print_r ($_SESSION));
fwrite($fp, "Post token is: ".$_POST['token']." Session token is: ".$_SESSION['token']."\n");
if( empty($_POST['token']) || $_POST['token'] != $_SESSION['token'] )
   {
   fwrite($fp, "Something is missing. About to die...\n");
     die; 
	}

Bes · 10 Jul 2009 at 09:45

Any ideas?

Thanks

suarve · 10 Jul 2009 at 10:21

Bes said:

This is my actual script (Top bit)

Front end

PHP:

<?php
session_start();
error_reporting(E_ALL^E_NOTICE);
ini_set('display_errors', 0);
ini_set('log_errors', 1);
ini_set('error_log', '/logs/InsideEdior_cs.txt');
$token = md5(uniqid(rand(), true));
$_SESSION['token'] = $token;

Back end

PHP:

<?php
session_start();
 
error_reporting(E_ALL^E_NOTICE);
ini_set('display_errors', 0);
ini_set('log_errors', 1);
ini_set('error_log', '/public_html/InsideEdior_ss.txt');
$fp = fopen('data.txt', 'w');
fwrite($fp, "Editor started....\n");
fwrite($fp, Print_r ($_SESSION));
fwrite($fp, "Post token is: ".$_POST['token']." Session token is: ".$_SESSION['token']."\n");
if( empty($_POST['token']) || $_POST['token'] != $_SESSION['token'] )
   {
   fwrite($fp, "Something is missing. About to die...\n");
     die; 
    }

Is this the top of your actual .php file and not just the script?

Bes · 10 Jul 2009 at 18:36

yeah the top of my php files, but shows the actual code that is causing the problems in context.... I just posted it to check I am not doing anything obviously stupid/ wrong.

Thanks.