tags:

views:

107

answers:

5
+2  Q: 

HTML input readonly security risk?

Is it safe to rely on the data of a html input field set to readonly? What is the purpose of a readonly field?

I know the disabled fields are not pushed to $_POST whereas readonly are? Essentially what I want is a dynamic value in my form that is unchangeable to the user.

Would it be more appropriate to place this in session or what options do I have?

EDIT: As some below have mentioned storing this in session is a better idea, although after reading Storing objects in session I am concerned about performance and overloading the server with session data. Any suggestions? Would is be safe to just unset() any session data no longer needed. (Similar to memory management but on the session level? Delete what you do not need.)

+4  A: 

Well it will work in the sense that users cannot put text into a readonly field. But anyone could forge a post with those fields modified easely.

So no its not a very good security.

For your other question you should give us more details about what you need that readonly field for. Maybe sessions are right for you maybe you do not need to do anything more then not write whatever`s in a readonly field to the db when the form is submited.

Iznogood  2010-08-30 16:23:27
In terms of least modification to an existing application to resolve this issue would it be safe to just hash the readonly values together and add one additional field to the form containing the hashed value? Sure the hash can be forged too but odds are they will not produce the proper hash value. At least it adds a validity check on the data.
Chris  2010-08-30 16:31:32
@Chris No, this is not enough. You shouldn't be relying on the readonly fields to persist data in the session. This is fundamentally insecure at the lowest possible level, and layering security on top of it cannot make it secure.
meagar  2010-08-30 16:38:51
@meagar i agree with your point to an extent, however, this is not about security as much as merely being able to validate the data in the readonly fields is in fact the data that we put there. Nothing more nothing less. I understand the security aspect of this but for example, we want to be able to reference a system ID of a given object and we do enforce access control on the querying for given objects within the site. Therefore, since authentication is already in place it seems more trivial/straightforward to merely hash out the data to validate its correctness on the server.
Chris  2010-08-30 16:45:09
since authentication is already in place we assume it utilizing session mechanism. And then `$_SESSION['my_precious_read_only_variable'] = 'Why bother to ask questions if you have already disagree with the answer?';` is most trivial/straightforward/primitive way
Col. Shrapnel  2010-08-30 17:05:21
@Chris Are you doing something trivial like persisting the ID of a record being edited within the form? If you validate they have access to the record they're updating, then you're find. But use a hidden input field - there's no reason for the user to be able to see such plumbing details.
meagar  2010-08-30 17:55:58
@Chris "`@_SESSION`" is a syntax error and "justification for not thinking using session" is causing a parse error in my brain.
meagar  2010-08-30 18:33:49
+4  A: 

If an input is readonly, but you pass its value to the server anyway, that's not safe. It's very easy to manipulate the page's source.
If you want to remember some value, yes, use sessions. You may display it in the readonly input, but never pass a value through an input like this.

edit: Iznogood is right, someone can modify the POST values and send a fake header.

rhino  2010-08-30 16:23:55
+3  A: 

Nope. It is not safe to rely on the data of a html input field set to readonly. As well as not safe to rely on any client-supplied data.
It would be the only possible solution to place this in session

Col. Shrapnel  2010-08-30 16:30:57
A: 

With Firebug you can easily make in writable so you don't even have to fake a post request using something likt curl.

If it is really readonly, than you can just ignore it server side, so even changing the value will not do anything with your data (e.g. in your database).

For me the reason to show someone a readonly file is to use the same form as a preview of a filled out from. But in this case you should not use it to send the data to your backend again.

For your second question: Session data is usually stored in a text file on the server. It will be deleted after some inactive time (standard is 24 minutes). You should not care of how big the data is. I also used session to store some hundered megabytes for some scripts. But it is a good idea to unset the form data from the session after the data has been sucessfully saved to the database =or any other persistent media). Storeing it in a session will also allow you to refill a form, even if the user does not press the back button or the browser does not recover the data correctly.

Kau-Boy  2010-08-30 21:03:34
A: 

Never trust the client.

Ben Hardy  2010-10-12 19:11:35

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?