[FX.php List] [Off] Using Clear Text Passwords/Registration Design

[Anders Monsen]

On Feb 12, 2009, at 3:07 PM, Leo R. Lundgren wrote:

> Use HTTPS all over the site, /including the start pages and pages  
> that print out forms where sensitive data is to be entered/. The  
> reason for not just using it on URLs that are POSTed to (i.e. making  
> the forms post to HTTPS urls but having only HTTP for the form page)  
> is that unless the page printing the form where the user enters  
> their sensitive is secured, who knows where the form will send its  
> data? The form page could've been hijacked and altered to make the  
> form POST the sensitive information to a totally different site than  
> your own.

You can build some form security by creating a session token and  
supplying this with the form. This should hinder people from hijacking  
your form and posting from a separate location, though I am not sure  
how foolproof this is against determined attackers.

On your form page:

if(!session_id()) session_start();
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;

<form method="post" name="form" action="thePage">
<input type="hidden" name="token" value="<?php echo $token; ?>"/>
<!--rest of form here-->
</form>
------

When processing form -

if(isset($_SESSION['token']) && isset($_POST['token']) &&  
$_POST['token'] == $_SESSION['token']) {
	// process the form
}


--
Anders Monsen