Posted by Jochem Maas on 06/05/05 15:18

JamesBenson wrote:
> Hello all, Ive been working with PHP for my websites for a few months,
> just attempted to build my own class, after reading all this stuff about
> automated robots and XSS attacks etc decided to step up security a bit,
> my result is an attempt to create a class for using the token method
> within web forms, not even sure whether its the real thing but my work
> is below, some advice on whether its ok or what needs improving would be
> appreciated, thanks.
>
>
> <?php
> // PHP 4.3.11
>
>
> class SecretToken {
>
> var $_returnCode;
>
>
> function GenerateToken() {
> if(!isset($_SESSION['token'])) {
> session_regenerate_id();

I wonder if regenerating the session id here is useful.
I understand doing it on log off/on but whats the connection
with creating a 'submit token'?

> $new_token = md5(uniqid(rand(), true));
> $_SESSION['token'] = $new_token;
> }
> }
>
>
> function VerifyToken($post) {
> if(isset($_SESSION['token'])) {
> $saved_token = ($_SESSION['token']);
> }

I think you should be unsetting $_SESSION['token']
round about here in order to make sure that each
submit a user does requires a different/new token.

I am assuming you have implemented this class in order
to trap double submits (as well as increasing the
security of you submits somewhat).

at the moment the user gets a single token for
ALL submits he does within a given session.



> if($post == $saved_token):
> $this->_returnCode = 1;
> unset($_SESSION['token']);
> else:
> $this->_returnCode = 0;
> endif;
> }
>
>
> function ReturnCode() {
> ## Result will be 1 for success or 0 for fail
> return $this->_returnCode;
> }
>

you can probably drop the ReturnCode() function
and just have the 1/0 returned directly from VerifyToken() e.g:

if (SecretToken::VerifyToken( $myTok )) {
// lets do a submit
} else {
// evil hacker, set the dogs on him.
}

>
> // end class definition
> }
> ?>
>
>
> Basically in my web form I call GenerateToken firstly, then when the
> forms been submitted I then call VerifyToken and finally check return
> codes using a switch statement, seems to work,

sounds fine to me.
rgds,
jochem

>
>
> TIA
> James Benson
>

[Back to original message]