stackoom
  简体   繁体   中英

Form token does not match when user refreshes page

 原文  2011-04-05 00:05:06       php/ session/ session-hijacking

Question

I wrote the following three functions in an attempt to prevent session Hijacking. They work. I call set_auth_token at the beginning of the script. Then in the html form I call get_auth_token. After the form has been posted I call check_auth_token. However, sometimes after a user has filled in a form, and they fill it in incorrectly, they tend to press F5/Refresh. This causes the page to 'die'. It does not happen before a form has been filled in.

What can I do to improve these, so that they do not die each time a user presses refresh? 

function set_auth_token()
{
   if (!isset($_SESSION['auth_token']))
   {
      $_SESSION['auth_token'] = hash('sha256',rand().time().$_SERVER['HTTP_USER_AGENT'].$_SERVER['REQUEST_URI']);
   }
}

get_auth_token is always called after set_auth_token has been called, hence it dies if it cannot find an auth token: 

function get_auth_token()
{
   if (isset($_SESSION['auth_token']))
   {
      return $_SESSION['auth_token'];   
   }
   else
   {
      die('"No auth token."');
   }
}

The function that causes the page to die: 

function check_auth_token()
{
   if (array_key_exists('auth_token', $_SESSION) && array_key_exists('auth_token', $_POST))
   {
      if ($_SESSION['auth_token'] == $_POST['auth_token'])
      {
         $_SESSION['auth_token'] = hash('sha256', rand() . time() . $_SERVER['HTTP_USER_AGENT'] . $_SERVER['REQUEST_URI']);
      }
      else
      {
         die('Woah! It seems like you pressed Refresh (or Back/Forward). Just click here to sort it out.'); # TODO: hyperlink silly
      }
   }
   else
   {
      die('no auth token');
   }
}

Cheers.

1 answers

solution1
 1 ACCPTED  2011-04-05 00:07:27

My guess (based on your comment) is that when the user refreshes, they are sending their POST data again, but the auth_token is being updated at the beginning of the script, and hence the value in the $_POST (generated on previous page) will no longer equal the new value (generated at the beginning of the script).

You should look at Post/Redirect/Get to stop the resending of Post data.

You may also consider not regenerating the key until you have validated or invalidated the existing one.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Prevent form submitting when user refreshes webpage AJAX form refreshes page Different ad on sidebar when user refreshes page or navigates to different page My PHP form is sending blank entries when the page loads/refreshes When using form validate alongside isset $_POST, page refreshes but will not submit Value Old Does Not Work Out When The Form Refreshes insertion into cart does when page refreshes in codeigniter with ajax php form post updates database and refreshes page but does not update data on the page after refresh How to update only once even when user refreshes page the page again? PHP Login form refreshes page instead of redirecting
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM