问题
I am currently having an issue with using a nonce as a security solution in PHP
i read this post about How to check if a request if coming from the same server or different server?
about using an hidden input form field to hash a random value and At the same time, store that random value into the session that correspond to the user. When the form is submitted, check that the hidden field has the same value as the one that's stored in session. (I think am having a problem with this)
Example
<?
$_SESSION['formhash'] = md5('any value to be hashed');
?>
<input type="hidden" name="hashed" id="hashed" value="<?php echo $_SESSION['formhash']; ?>" />
A user having an Mozilla Firebug and inspecting the element will still find out my hidden field and then copy it. And then create his/her own form then post it to my url and the Login will still be Bypassed.
Image showing example
Is there any more secure way to do this ? Any help will be appreciated thanks !
回答1:
The bottom line is that you cannot prevent a user from manipulating the form data prior to submitting the form. What your solution does is confirms that the form data is coming from the user you sent it to.
Regardless of whether or not a user is "logged in", you will probably start a session each time a new visitor hits your site. This means you can store the hash value each time you send them a form and you should, in theory, be able to associate the hash value on the returned form data with the hash value in the session (just like your code is doing).
Armed with that knowledge, we can consider the following scenarios:
The typical use case is that a user submits a form without modifying the data. Your approach will allow you to confirm that the form has been posted by that very user. Your validation code should confirm that the POST data is acceptable.
If a user modifies the form data and submits it, your approach will allow you to confirm that the form has been posted by that user, but not that the form has been messed with. This is why you need to validate forms very, very carefully.
If a user grabs a form that was actually sent to someone else and posts it - modified or not - your system will allow you to confirm that the form did not come from the user that it was originally sent to and you should reject it.
Scenario 3 is what is known as a CSRF attack and your solution is the standard defense against this attack.
PS As @cHao says, you should regenerate the hash for every form you generate.
来源:https://stackoverflow.com/questions/23003563/using-a-nonce-as-a-security-solution-in-php