实现PHP会话令牌时出现问题

I'm trying to implement CSRF protection to a webform. Its a one page website that captures data, posts it to a PHP file which then emails me the information. The webpage functions as intended (minus the security).

I'm having the following issues:

I can't work out how to implement the PHP code to set the token; converting index.html to index.php loads a blank body. I think that resolving this would likely fix my issues.
When I try and call token.php from jQuery, I get a 403 error.
When I try and run the script in a 1-pixel iframe, I get a 500 error (I assume as it's being run on HTML).

token.php

<?php
session_start();

if (empty($_SESSION['token'])) {
    $_SESSION['token'] = bin2hex(random_bytes(32));
}

$token = $_SESSION['token'];
?>

formsubmit.php

<?php 
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    if (!empty($_POST['token'])) {
        if (hash_equals($_SESSION['token'], $_POST['token'])) {
            $emailbody = 'Name: ' . $_POST['m_title'] . ' ' . $_POST['m_firstname'] . ' ' . $_POST['m_surname'] . "
"
                . 'Email: ' . $_POST['m_email'] . "
"
                . 'Phone: ' . $_POST['m_phone'] . "
"
                . 'D.O.B: ' . $_POST['m_dob_day'] . ' ' . $_POST['m_dob_month'] . ' ' . $_POST['m_dob_year'] . "
"         
                . 'Postcode: ' . $_POST['m_postcode'] . "
"
                . 'Lenders: ' . $_POST['m_bank1']  . ',' . $_POST['m_bank2'] . ',' . $_POST['m_bank3'] . ',' . $_POST['m_bank4'] . ',' . $_POST['m_bank5'] . ',' . $_POST['m_bank6'] . ',' . $_POST['m_bank7'] . ',' . $_POST['m_bank8'];               
            mail('**removed**', 'Web Lead', $emailbody);
            header('Location: **removed**/thankyou');
            exit();
        }   
        else {
            echo "token invalid";
        }
    }
    else {
        echo "token blank";
    }
}
else {
    echo "invalid request";
}
?>

My jQuery attempt in index.html

<script>
$(document).ready(function() {
    $.get('token.php');
}); 
</script>

Provided the PHP above is not riddled with errors, I had assumed that successfully converting it to index.php would resolve my issues, but I am having difficulty doing so.

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
douao3063 2018-08-29 16:00
关注
There's a few problems with your code:

token.php needs to output the token. Which is as simple as echo $token;

The main problem is that you've used the following jquery:

$(document).ready(function() { $.get('token.php'); });

What this means is that when the page (index.html) is loaded, your browser makes an ajax request to token.php. However... nothing further happens. You're not actually doing anything with the response (output) from token.php.

What you need to do is place the response from token.php into your web page. Going off the code you've posted I assume there is a form field with the name "token"? If this is the case then you would make the ajax request like this, which writes the response of token.php to that field:

$(document).ready(function() { $.get('token.php').done(function(data) { $('input[name="token"]').val(data); }).fail() { // Handle ajax request failure here }); )};

To answer your questions:

$_SESSION['token'] = bin2hex(random_bytes(32)); means that the variable $_SESSION['token'] contains your token. That's where you are setting it.

If you're getting a 403 error requesting token.php in the ajax request this means that the server won't process that request. So it could be a permissions issue or some other problem. Try putting die('test'); at on the first line of the script and then executing /token.php in your browser. Can you access it, or does it give you an error? If it's accessible it will say "test". Check the servers error log if you're unsure why you can't access it. Based on the code, it's unlikely that the URL to the script is wrong, or that'd give you a 404 error.

It's unclear why you're bothering with: "When I try and run the script in a 1-pixel iframe". I assume this is an attempt to write the response of token.php back to the page. That can be solved by my answer above.
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

实现PHP会话令牌时出现问题 html php
2018-08-29 15:41

回答 1 已采纳 There's a few problems with your code: token.php needs to output the token. Which is as simple as
PHP会话令牌用于表单安全性 php
2016-02-13 00:02

回答 2 已采纳 The functionality of my code seemed fine in Safari, but other browsers mismatched the token. The
创建会话时出现问题 php
2015-09-23 09:28

回答 2 已采纳 Make session_start(); your first line in the file
php 登陆令牌例子,常见登录认证 DEMO
2021-04-26 12:56

Project Moto的博客 ⭐️ 更多前端技术和知识点，搜索订阅号 JS 菌订阅basic authbasic auth 是最简单的一种，将用户名和密码通过 form 表单提交的方式在 Http 的 Authorization 字段设置好并发送给后端验证要点：不要通过 form 提交...
PHP会话 - 几个问题 php
2017-02-22 09:59

回答 3 已采纳 No, the session garbage collection is managed by the system, based on the session.gc_maxlifetime
更改webhost后，使用php会话变量传递数据时出现问题 apache php
2015-10-26 19:37

回答 2 已采纳 Fixed it. While in error mode I saw this "Warning: session_start(): Cannot send session cache limi
在php页面中传递会话值的问题 javascript php
2018-03-16 20:06

回答 2 已采纳 This script has a lot of issues: 1) In the result.php page, you have that html output coming afte
php如何实现无状态,springCloud-依赖Spring Security使用 JWT实现无状态的分布式会话...
2021-04-26 19:25

茶未凉人已散的博客 JWT实现无状态的会话机制，是一个解决方案。1、什么是无状态？微服务集群中的每个服务，对外提供的都使用RESTful风格的接口。而RESTful风格的一个最重要的规范就是：服务的无状态性，即：1、服务端不保存任何客户端...
鼠标移动至少一次时创建PHP会话 javascript jquery php
2017-12-16 11:41

回答 1 已采纳 The PHP code should be something like this: session_start(); if (!isset($_SESSION['mouseMoved'])
实现CSDN自动登录出现的问题 ajax selenium 有问必答
2021-07-26 10:59

回答 3 已采纳用selenium连接已打开的浏览器，这个可以不用登录
PHP会话在页面更改时没有保留值 php
2016-06-09 04:37

回答 4 已采纳 session_set_cookie_params( $cookieParams["lifetime"], $cookieParams["path"], $co
2023前端面试题汇总
2023-03-09 17:58

下雪不过冬天的博客 2023前端基础面试题汇总
CSRF会话令牌无效 csrf php
2013-11-15 19:38

回答 1 已采纳 You're passing $token in as the first parameter for CSRF::check(). Surely, it should be: CSRF::ch
MyBlog:一个博客网络应用程序，其前端使用React和React Router，后端使用PHP。该应用程序的构建是为了使我能获得将PHP后端连接到MySQL数据库的经验，并出于Web安全原因使用PDO和准备好的语句以及数据清理。该应用程序还使用Jason Web令牌来验证会话并防止会话劫持XSS
2021-03-26 18:17

BLOG APP RUNNING REACT和PHP 先决条件将PHP根目录设置为blog_app目录使服务器在8888上运行将mysql配置为用户root和密码root 运行npm install 运行composer install 发展运行REACT_APP_API_URL=...
sso php 实现,PHP开发SSO单点登录系统时如何实现Seesion跨域共享
2021-03-23 18:21

weixin_31143391的博客目前设计需求是SSO应用程序通过其他业务应用重定向时携带参数url，如login.php?url=http://www.dingstudio.cn/callback.php 处理登录成功后的跳转。callback.php为各个应用的回调接口，登录成功后的信息同步处理均...
没有解决我的问题, 去提问

悬赏问题

¥15 为什么我运行这个网络会出现以下报错？CRNN神经网络
¥20 steam下载游戏占用内存
¥15 CST保存项目时失败
¥15 树莓派5怎么用camera module 3啊
¥20 java在应用程序里获取不到扬声器设备
¥15 echarts动画效果的问题，请帮我添加一个动画。不要机器人回答。
¥15 Attention is all you need 的代码运行
¥15 一个服务器已经有一个系统了如果用usb再装一个系统，原来的系统会被覆盖掉吗
¥15 使用esm_msa1_t12_100M_UR50S蛋白质语言模型进行零样本预测时，终端显示出了sequence handled的进度条，但是并不出结果就自动终止回到命令提示行了是怎么回事：
¥15 前置放大电路与功率放大电路相连放大倍数出现问题

实现PHP会话令牌时出现问题

1条回答 默认 最新

悬赏问题

1条回答默认最新