On 1/18/08, Eric Butera <eric.butera@xxxxxxxxx> wrote:
> Nonetheless as I keep re-iterating, people will copy and paste this
> stuff as is because they don't know better. It is the responsibility
> of people writing the answers to make sure their code is validated and
> as "secure" as possible unless there is some glaringly obvious comment
> saying {get your data here} with a link to how to validate it
> properly.
I agree. Everyone should be pushing for the best code possible here...
> Using session based form tokens is a better approach to make sure the
> post came from within your application.
Except if your sessions timeout while the user is filling out the
form. I have a forum and sometimes people spend a LOT of time
composing messages (copy/pasting replies to reply to them, etc) and if
it's session-based, their session may timeout (depending on how it's
configured) before they hit submit, resulting in a total loss of data.
Unless the application understands to restart a session, but then
what's the point of the token...
I have non-user-specific tokens issued every request (with an expiry
of 24 hours) per form so it can only be submitted once. It's worked
pretty well, but as with everything there are a couple ways around it,
but it would take some work to do that.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
