tags:

views:

60

answers:

2
+1  Q: 

Web Form Security

I set a cookie in the headers with an md5 hashed keyword. Then in my code, it checks for the exact matching cookie before displaying a form. Is this pretty much pointless? The form submits to an external site, so I am trying to secure the form without using captcha..

A: 

If you send the cookie at the same time as you print the form it will always return true, unless they have cookies turned off.

What the cookie check is used for is cross site request forgery prevention. In other words, stop people from submitting forms from external sites :)

So what you have described there, doesn't do anything

Thomas Winsnes  2010-05-18 15:56:15
-1 cookies cannot defended against CSRF. The whole point of csrf is riding on the session and the cookie value will be included with the forged GET or POST query.
Rook  2010-05-18 16:16:44
@the rook, sorry I didn't explain myself properlyWhen you do a CSRF check, you put a md5hash in a cookie and in a hidden field in the form and then check that they match.You do the check when you process the post information.
Thomas Winsnes  2010-05-19 02:21:39
I removed the -1 becuase that would stop it. although md5 is a inefficient method of making a random number and it still comes down to what you are taking md5() of, if its a value known to the attacker then it doesn't matter. It would also be better to store the token in a session variable instead of a cookie.
Rook  2010-05-19 07:31:13
using a session or a cookie, which you use doesn't matter. The reason for this is that the attacker in csrf isn't a person, it is a website. This website will be under a different domain so the browser will prevent the attacker from knowing the md5hash (which of course is generated on every load on the form), since a cookie will only be sent to the domain it originated from. ps. don't care much about the -1, just like discussing things :P
Thomas Winsnes  2010-05-19 15:43:25
+1  A: 

CSRF is only a problem if the request is valuable to the attacker. For instance, if can an attacker can get a logged in administrator to change their password using CSRF, then you have a serious problem. No one gives a fuck about lyrics, or search requests or page navigation. No one will ever exploit that, so it doesn't matter where the request comes from.

Rook  2010-05-18 16:18:33
I won't say that. If someone can inject some Javascript on a lyrics page, that ranks acceptably high in Google, he can do pretty much harm with that. Cracking bank sites is not the only target for black hats.
Boldewyn  2010-05-18 16:23:31
@Boldewyn that is XSS not CSRF.
Rook  2010-05-18 16:27:32

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases