views:

107

answers:

5

Is it safe to rely on the data of a html input field set to readonly? What is the purpose of a readonly field?

I know the disabled fields are not pushed to $_POST whereas readonly are? Essentially what I want is a dynamic value in my form that is unchangeable to the user.

Would it be more appropriate to place this in session or what options do I have?

EDIT: As some below have mentioned storing this in session is a better idea, although after reading Storing objects in session I am concerned about performance and overloading the server with session data. Any suggestions? Would is be safe to just unset() any session data no longer needed. (Similar to memory management but on the session level? Delete what you do not need.)

+4  A: 

Well it will work in the sense that users cannot put text into a readonly field. But anyone could forge a post with those fields modified easely.

So no its not a very good security.

For your other question you should give us more details about what you need that readonly field for. Maybe sessions are right for you maybe you do not need to do anything more then not write whatever`s in a readonly field to the db when the form is submited.

Iznogood
In terms of least modification to an existing application to resolve this issue would it be safe to just hash the readonly values together and add one additional field to the form containing the hashed value? Sure the hash can be forged too but odds are they will not produce the proper hash value. At least it adds a validity check on the data.
Chris
@Chris No, this is not enough. You shouldn't be relying on the readonly fields to persist data in the session. This is fundamentally insecure at the lowest possible level, and layering security on top of it cannot make it secure.
meagar
@meagar i agree with your point to an extent, however, this is not about security as much as merely being able to validate the data in the readonly fields is in fact the data that we put there. Nothing more nothing less. I understand the security aspect of this but for example, we want to be able to reference a system ID of a given object and we do enforce access control on the querying for given objects within the site. Therefore, since authentication is already in place it seems more trivial/straightforward to merely hash out the data to validate its correctness on the server.
Chris
since authentication is already in place we assume it utilizing session mechanism. And then `$_SESSION['my_precious_read_only_variable'] = 'Why bother to ask questions if you have already disagree with the answer?';` is most trivial/straightforward/primitive way
Col. Shrapnel
@Chris Are you doing something trivial like persisting the ID of a record being edited within the form? If you validate they have access to the record they're updating, then you're find. But use a hidden input field - there's no reason for the user to be able to see such plumbing details.
meagar
@Chris "`@_SESSION`" is a syntax error and "justification for not thinking using session" is causing a parse error in my brain.
meagar
+4  A: 

If an input is readonly, but you pass its value to the server anyway, that's not safe. It's very easy to manipulate the page's source.
If you want to remember some value, yes, use sessions. You may display it in the readonly input, but never pass a value through an input like this.

edit: Iznogood is right, someone can modify the POST values and send a fake header.

rhino
+3  A: 

Nope. It is not safe to rely on the data of a html input field set to readonly. As well as not safe to rely on any client-supplied data.
It would be the only possible solution to place this in session

Col. Shrapnel
A: 

With Firebug you can easily make in writable so you don't even have to fake a post request using something likt curl.

If it is really readonly, than you can just ignore it server side, so even changing the value will not do anything with your data (e.g. in your database).

For me the reason to show someone a readonly file is to use the same form as a preview of a filled out from. But in this case you should not use it to send the data to your backend again.

For your second question: Session data is usually stored in a text file on the server. It will be deleted after some inactive time (standard is 24 minutes). You should not care of how big the data is. I also used session to store some hundered megabytes for some scripts. But it is a good idea to unset the form data from the session after the data has been sucessfully saved to the database =or any other persistent media). Storeing it in a session will also allow you to refill a form, even if the user does not press the back button or the browser does not recover the data correctly.

Kau-Boy
A: 

Never trust the client.

Ben Hardy