Posted by Skeets on 10/13/46 11:39

Justin, thanks for the script. i think i get the basic idea, but i'm
missing one point. what is to stop someone from copying the script
form the first page, saving it on their computer and then pointing it
to the second page? it would seem that they could spoof it as long as
they had the code from the first page.

i see isset($_POST['formToken']) is checked, but that is independent of
the sending site, right?

isset($_SESSION['token']) is checked, but that is independent of the
sending site, right?

$_POST['formToken']==$_SESSION['token'] is checked, but, as long as the
first form's hidden element arrangement is the same, they would be
equal coming from a spoofing site, too, right?

the values would be different from those sent form the legit page, but
they would still equate to each other - and that's what is checked here
- their equality, not their aboslute values - which would be different,
of course.

or am i missing something here?

thanks to all for the good ideas.

• Next in forum: Re: PHP Passing Variables Between Pages and Security
• Prev in forum: user management
• Thread view: Re: PHP Passing Variables Between Pages and Security

[Reply to this message]