duankuang1046 2016-02-13 00:02
浏览 39
已采纳

PHP会话令牌用于表单安全性

I have not been able to successfully submit a form I am working on in Chrome or Firefox. The form works in Safari, however.

I just started trying to use PHP last week and modified code from this post on CSS Tricks. I am trying to give the session a random token, store that token in a variable, set that token to a hidden input field, and then make sure the two match when the form is submitted.

The problem is that the session token that is created doesn't match the token assigned as a value to the hidden input. When the form is submitted, a new session token is recreated and thus doesn't match the original random number from the session. The curious thing is that it works in Safari and not other browsers.

The PHP

<?php 
session_start();

function generateFormToken($form) {

    // generate a token from an unique value, took from microtime, you can also use salt-values, other crypting methods...
    $token = md5(uniqid(microtime(), true));  

    // Write the generated token to the session variable to check it against the hidden field when the form is sent
    $_SESSION[$form.'_token'] = $token; 
    echo $token;
    return $token;
}

function verifyFormToken($form) {

    // check if a session is started and a token is transmitted, if not return an error
    if(!isset($_SESSION[$form.'_token'])) { 
        return false;
    }

    // check if the form is sent with token in it
    if(!isset($_POST['token'])) {
        return false;
    }

    // compare the tokens against each other if they are still the same
    if ($_SESSION[$form.'_token'] !== $_POST['token']) {
        return false;
    }

    return true;
}
function check_input($data)
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
  }

if (verifyFormToken('form1')) {
    $name = check_input($_POST["name"]);
    $email = check_input($_POST["emailaddress"]);
    $message = check_input($_POST["message"]);
    $ForwardTo = 'me@gmail.com';
    $details='Name: '.$name."
".'Email: '.$email."
".'Message: '.$message."
";

        //do stuff
    mail($ForwardTo,"Construction of Hope Contact",$details,"From:$email");
}

?>

The related form:

<!--Markup for Contact form-->
        <form action='index.php' method='post' class='contact-format'>


        <p><input type="hidden" name="token" value="<?php echo $newToken; ?>"></p>
        <p>
      <button type="submit" name='submit' class="btn btn-primary button">Send</button>
    </p>

</div>
  • 写回答

2条回答 默认 最新

  • dousong2023 2016-02-15 18:11
    关注

    The functionality of my code seemed fine in Safari, but other browsers mismatched the token.

    The issue involved .... not having a favicon.

    This post was the key in solving the problem.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

  • PHP会话令牌用于表单安全性 php
    2016-02-13 00:02
    回答 2 已采纳 The functionality of my code seemed fine in Safari, but other browsers mismatched the token. The
  • 实现PHP会话令牌时出现问题 html php
    2018-08-29 15:41
    回答 1 已采纳 There's a few problems with your code: token.php needs to output the token. Which is as simple as
  • PHP LDAP会话持久性 php
    2019-02-04 15:31
    回答 1 已采纳 The problem is not about LDAP, the problem is about HTTP. HTTP is a stateless protocol whereas LD
  • PHP 安全:使用 CSRF 令牌防止 XSS 攻击
    2024-04-25 05:00
    新华的博客 在动态的 Web 开发环境中,安全性仍然是一个最重要的问题。跨站点脚本(XSS) 和跨站点请求伪造(CSRF) 是 PHP 开发人员必须解决的两个普遍安全漏洞,以保护其应用程序。本文深入探讨了 XSS 攻击的复杂性,探讨了 ...
  • 会话变量间歇性PHP html php
    2018-01-19 20:45
    回答 1 已采纳 SOLVED: In my navigation bar I was using a full URL instead of a relative link, this was causing
  • php提交表单php超级全局变量 php
    2017-08-11 06:12
    回答 4 已采纳 这个问题本人解决了,现将问题原因解释一下: 问题:php提交表单失败,就这个问题而言导致提交表单失败的原因实在是太多,后来我发现用get提交成功,当用post提交时才会失败, 就代码本身没用一点错
  • PHP KCFinder会话安全选项 php
    2016-10-27 12:15
    回答 1 已采纳 KCFinder already has this feature built into it. In your login procedure, you should set a session
  • php 登陆令牌例子,常见登录认证 DEMO
    2021-04-26 12:56
    Project Moto的博客 ⭐️ 更多前端技术和知识点,搜索订阅号 JS 菌 订阅basic authbasic auth 是最简单的一种,将用户名和密码通过 form 表单提交的方式在 Http 的 Authorization 字段设置好并发送给后端验证要点:不要通过 form 提交...
  • 用于购物车的会话数组在php php
    2017-05-02 12:42
    回答 2 已采纳 Your question is not clear. I think what you want is an array structure like this : <?php $_S
  • PHP会话安全 - 金丝雀会话 php
    2016-04-21 09:38
    回答 1 已采纳 The way PHP handles sessions, is to generate a unique session id for each user, and store it in a
  • 如何将会话变量传递到PHP中的表单 php
    2018-06-07 09:37
    回答 1 已采纳 Just break out from the string and concatenate, like this: echo "<form method='POST' action='"
  • php知识点-安全
    2024-04-18 15:41
    wxjing1的博客 哈希(Hash)用于将任意长度的输入通过散列算法变换成固定长度的输出,需要使用 hash_equals() 函数来进行比较哈希,hash_equals() 是可以防止时序攻击的一种。(2)文件执行权限不当:PHP服务器在保存上传文件时,...
  • 表单提交后PHP更新会话 php
    2015-09-15 20:56
    回答 1 已采纳 Finally found a way to get this to work rather than relying on a bunch of kids. The whole time dur
  • PHP如何防止常见的Web安全漏洞?
    2024-04-21 15:24
    代码探索者q的博客 跨站脚本攻击允许攻击者在受害者的浏览器中执行恶意脚本,窃取用户的敏感信息,如cookie、会话ID等,或者进行其他恶意操作。跨站请求伪造攻击者利用受害者的已登录状态,在受害者不知情的情况下,以受害者的名义执行...
  • PHP开发中如何防范常见的Web安全漏洞
    2024-04-23 13:03
    代码云1的博客 除了上述提到的SQL注入、XSS攻击、文件上传漏洞、CSRF攻击和点击劫持漏洞外,还有其他一些安全漏洞也需要注意,如会话劫持、敏感信息泄露等。跨站脚本攻击是一种常见的Web攻击方式,攻击者通过在Web页面中注入恶意的...
  • 没有解决我的问题, 去提问

悬赏问题

  • ¥15 下图接收小电路,谁知道原理
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度
  • ¥30 关于#r语言#的问题:如何对R语言中mfgarch包中构建的garch-midas模型进行样本内长期波动率预测和样本外长期波动率预测
  • ¥15 ETLCloud 处理json多层级问题
  • ¥15 matlab中使用gurobi时报错
  • ¥15 这个主板怎么能扩出一两个sata口
  • ¥15 不是,这到底错哪儿了😭
  • ¥15 2020长安杯与连接网探