Session token

**C. (http://symcbean.blogspot.com/)** · Oct 5 '08, 10:35 AM

Re: Session token

On 3 Oct, 20:04, Lan Mind <LANMIN...@gmai l.comwrote:

Hello again everybody,
>
My page:http://www.dockhawk.com/
>
I'm trying to implement some "session security" PHP script
mentioned in the "Cross-site request forgery" section of this
tutorials (pdf):http://daniel0.net/phpfreaks_tutoria...p_security.pdf
>
I was trying to figure out if it was functioning by putting a value in
the hidden input that won't be equal to the session token. The hidden
input is in my default.html page inside the <div id="search_form ">.
>
So as the value is wrong the PHP should return "Invalid Token" but
it's not. In earlier testing I had taken away the not "!" in the PHP
and left the hidden input's value as "<?php echo $_SESSION['token'] ?
>

" and the PHP did return "Invalid Token" as it should have.

>
It seems the "!" isn't working, I'm not sure. Thank you for your time,
here is the PHP:
>
<?php
>
if ($_GET['token'] !== $_SESSION['token']) {
die('Invalid token');
>
}
>
$keyword=$_GET["name"];
>
require("dockha wk_dbinfo.php") ;
>
function parseToXML($htm lStr)
{
$xmlStr=str_rep lace('<','<' ,$htmlStr);
$xmlStr=str_rep lace('>','>' ,$xmlStr);
$xmlStr=str_rep lace('"','&quot ;',$xmlStr);
$xmlStr=str_rep lace("'",'' ',$xmlStr);
$xmlStr=str_rep lace("&",'& ',$xmlStr);
return $xmlStr;
>
}
>
// Opens a connection to a MySQL server
$connection=mys ql_connect ($hostname, $username, $password);
if (!$connection) {
die('Not connected : ' . mysql_error());
>
}
>
// Set the active MySQL database
$db_selected = mysql_select_db ($database, $connection);
if (!$db_selected) {
die ('Can\'t use db : ' . mysql_error());
>
}
>
// Select all the rows in the markers table
$query = "SELECT * FROM markers WHERE MATCH(operator, name, waterway)
AGAINST ('$keyword') LIMIT 0, 25";
$result = mysql_query($qu ery);
if (!$result) {
die('Invalid query: ' . mysql_error());
>
}
>
header("Content-type: text/xml");
>
// Start XML file, echo parent node
echo '<markers>';
>
// Iterate through the rows, printing XML nodes for each
while ($row = @mysql_fetch_as soc($result)){
// ADD TO XML DOCUMENT NODE
echo '<marker ';
echo 'operator="' . parseToXML($row['operator']) . '" ';
echo 'name="' . parseToXML($row['name']) . '" ';
echo 'waterway="' . parseToXML($row['waterway']) . '" ';
echo 'mile="' . parseToXML($row['mile']) . '" ';
echo 'address="' . parseToXML($row['address']) . '" ';
echo 'town="' . parseToXML($row['town']) . '" ';
echo 'state="' . parseToXML($row['state']) . '" ';
echo 'lat="' . $row['lat'] . '" ';
echo 'lng="' . $row['lng'] . '" ';
echo 'county="' . parseToXML($row['county']) . '" ';
echo '/>';
>
}
>
// End XML file
echo '</markers>';
>
?>

You've:
1) failed to illustrate the problem
2) not included have the code required for the transaction (i.e. the
page where $_SESSION['token'] is initialized
3) included lots of code which is nothing to do with the problem you
describe
4) apparently never instrumented the code to see why it is behaving
this way

Did you stop to think about the implications of your assertion that
'the "!" isn't working' ? You didn't think that if this were the case
then maybe someone else might have noticed this critical defect in one
of the most popular programming languages for web dev?

Go back to the drawing board - replace the above code with:

<?php

print "I got [" . $_GET['token'] . "] and the stored version is [" .
$_SESSION['token'] . "]<br />";
if ($_GET['token'] !== $_SESSION['token']) {
print "they don't match";
} else {
print "they are the same";
}

?>

- I think you'll find the answer is quite obvious.

C.

**Rik Wasmus** · Oct 22 '08, 12:15 AM

Re: Session token

On Fri, 03 Oct 2008 21:04:41 +0200, Lan Mind <LANMIND01@gmai l.comwrote:

Hello again everybody,
>
My page: http://www.dockhawk.com/
>
I'm trying to implement some "session security" PHP script
mentioned in the "Cross-site request forgery" section of this
tutorials (pdf):
http://daniel0.net/phpfreaks_tutoria...p_security.pdf

1) Never, never, never use a GET for an alteration, GET is for
presentation of data, possibly you can do some statistical logging, but
that's it.
2) If you're still concerned about unknowingly posting (instead of
getting) from another site, you can (besides of course making the session
cookie httponly) add a temporary hidden post value in your 'alteration
form', in the form of a random string which is whitelisted in your current
session. On a request, refuse to do an action if the hash doesn't match
the current (or one of the several) whitelisted strings.

Of course, you employ other security measures as using HTTPS instead of
HTTP, etc. etc.

I was trying to figure out if it was functioning by putting a value in
the hidden input that won't be equal to the session token. The hidden
input is in my default.html page inside the <div id="search_form ">.
>
So as the value is wrong the PHP should return "Invalid Token" but
it's not. In earlier testing I had taken away the not "!" in the PHP
and left the hidden input's value as "<?php echo $_SESSION['token'] ?

>" and the PHP did return "Invalid Token" as it should have.

>
It seems the "!" isn't working, I'm not sure. Thank you for your time,
here is the PHP:
>
<?php

Perhaps a missing:
session_start() ;

(var_dump($_GET ,$_SESSION); when in doubt)

.... and if so, when concerned with security, I sincerely hope you _check_
the $_SESSION for a valid login on _every_ page?

if ($_GET['token'] !== $_SESSION['token']) {
die('Invalid token');
>
}

This function we usually call htmlspecialchar s($string,ENT_Q UOTES);

function parseToXML($htm lStr)
{
$xmlStr=str_rep lace('<','<' ,$htmlStr);
$xmlStr=str_rep lace('>','>' ,$xmlStr);
$xmlStr=str_rep lace('"','&quot ;',$xmlStr);
$xmlStr=str_rep lace("'",'' ',$xmlStr);
$xmlStr=str_rep lace("&",'& ',$xmlStr);
return $xmlStr;
>
}

And I can't see a further creation of the $_GET variable in any URL the
user will visit (link, target, etc.), so there's no way of knowing for us
wether there's a fault there.
--
Rik Wasmus

Session token

Session token

Comment

Comment