Problem with Session vs. Post variables

Forum Moderators: coopster

Message Too Old, No Replies

Problem with Session vs. Post variables

too much information

4:27 am on Oct 23, 2007 (gmt 0)

This is very strange to me but I'm trying to secure a form on a page by using a random string, but I can't seem to get it to work and I can't spot the problem.

// This creates and sets the random number as a session variable
$token = md5(uniqid(rand(), true));
$_SESSION['token'] = $token;

// In my form I have the line:
echo "<input type=\"hidden\" name=\"token\" value=\"".$token."\" />";

Then when I compare $_POST['token'] and $_SESSION['token'] they don't match.

Am I missing something or is my $token being regenerated every time it's used?

Habtom

4:55 am on Oct 23, 2007 (gmt 0)

They might be getting regenerated and carrying different values at the time you compare them.

How about just printing them so that you see what values they are carrying, just comparing them won't tell you much.

too much information

5:12 am on Oct 23, 2007 (gmt 0)

I just tried printing them and they are different values. It's not what I expected at all and I can't see where I'm going wrong.

could the problem be with the 'uniqid'?

*added: I'm comparing them on the page that processes the form and the $token is only being generated once.

Habtom

5:38 am on Oct 23, 2007 (gmt 0)

But I would assume once the value is assigned to the variable,
$token = md5(uniqid(rand(), true));
there seems to be no reason why it should change the value of $token.

But you just need to make sure you are not running $token = md5(uniqid(rand(), true)); again.

uniqid is based on the current time in microseconds to generate what it generates, but can't see why it should be changing the value of the variable $token.

Is it being run again?

phparion

6:05 am on Oct 23, 2007 (gmt 0)

I agree with Habtom, your might be running the token generating code again. for this you can simple use isset() kinda functions to check if the variable is already set with some value, if it is then do not generate token value otherwise generate it. put the session variable in this IF statement too.

PHP_Chimp

9:33 am on Oct 23, 2007 (gmt 0)

Not that this helps with your issue but -

$token = md5(uniqid(rand(), true));

This token will not quite be random. There is a note about using md5 with uniqid on the uniqid page of the manual. As uniqid should not generate the same value unless the requests are processed at exactly the same time, where as md5 has collisions. So you are generating a random number then possibly changing it so that this number is no longer random.

This may help with your issue -
Not that is should make any difference but have you tried


<input type=\"hidden\" name=\"token\" value=\"".$_SESSION['token']."\" />";

too much information

3:38 pm on Oct 23, 2007 (gmt 0)

The problem is that I'm setting the value of $token once, then on the same page I'm setting $_SESSION['token'] = $token; and the hidden fields. The actual comparison is on the form processing end.

This works for me on a page that processes itself, but when I pass the form data to a separate page for processing it doesn't.

Ok, I found the problem...

Just as I was thinking of it, I check to see if there was an included page that was trying to do the same thing and there was. So $token was being set twice.

Always check your includes!