All geek questions in one place

How to prevent false publishing in PHP as / as opposed to a system

I am trying to create a similar / dissimilar system when a user clicks on a message, his / her user ID (which is stored in the session) and the message ID will be stored in the database via an ajax call.

Then I thought that if some user makes an html form with an invisible input field (which has one of its message identifiers) in another domain and gives a link to the user who checked, remembers me later or browses my site.

The user will click the button, and the form will send a POST message to my site, the session contains the user ID, and they will be saved in the database.

No good solution comes to my mind. Is there a more reliable way than an HTTP referrer to prevent this?

Thank you in advance

+4
source share
3 answers

One way is to insert a secret variable into the HTML specific to the user's session. This can prevent sites from being spoofed.

In PHP, you create a random “key” and save it in a session:

$_SESSION['myFormVar'] = md5(mt_rand());

Then in the form you add a hidden variable:

 <input type="hidden" name="chkVar" value="<?=$_SESSION['myFormVar']?>"/>

You must submit your form via POST and preferably via HTTPS, which makes it difficult (but not impossible) to intercept the value of chkVar.

In the code that processes your published form, compare the published chkVar with your session variable. In an ideal world, you will have a unique chkVar for each request, however using one, which is the same for the whole session, often works fine and protects against most csrf attacks.

+5
source

You are talking about using CSRF .
This is a good security issue.
This is universal key management, which is known only to the server.
This key should be used in all of your forms.
Below is a small guide to protect it.

+2
source

The only thing you should send is the message identifier, the user identifier should be automatically selected in the script that you call through AJAX. Assuming that you have confirmed that the user is logged in, you have both pieces of information without any additional security risks.

+1
source

Source: https://habr.com/ru/post/1390243/

More articles:


All Articles