On Jan 18, 2008 5:06 PM, mike <mike503@xxxxxxxxx> wrote:
> On 1/18/08, Eric Butera <eric.butera@xxxxxxxxx> wrote:
>
> > Nonetheless as I keep re-iterating, people will copy and paste this
> > stuff as is because they don't know better. It is the responsibility
> > of people writing the answers to make sure their code is validated and
> > as "secure" as possible unless there is some glaringly obvious comment
> > saying {get your data here} with a link to how to validate it
> > properly.
>
> I agree. Everyone should be pushing for the best code possible here...
>
> > Using session based form tokens is a better approach to make sure the
> > post came from within your application.
>
> Except if your sessions timeout while the user is filling out the
> form. I have a forum and sometimes people spend a LOT of time
> composing messages (copy/pasting replies to reply to them, etc) and if
> it's session-based, their session may timeout (depending on how it's
> configured) before they hit submit, resulting in a total loss of data.
> Unless the application understands to restart a session, but then
> what's the point of the token...
>
> I have non-user-specific tokens issued every request (with an expiry
> of 24 hours) per form so it can only be submitted once. It's worked
> pretty well, but as with everything there are a couple ways around it,
> but it would take some work to do that.
>
That is a good point to consider. On our servers we have the session
timeout set to when the browser is closed so I forget sometimes people
put actual time limits on them.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
