prevent users from submitting requests other than application

Question

Actually I have a login form which gathers information and proceeds.

Now i want to make sure to entertain only requests from this login page that was served from my server and not any other page that hits my url with the same parameters.

Thanks for the enlightenment in advance.

possible duplicate of [preventing csrf in php](http://stackoverflow.com/questions/1780687/preventing-csrf-in-php) — Ignacio Vazquez-Abrams, Jul 25 '12 at 07:24
Ignacio: I am not sure if he is looking for CSRF from what I understand of his question, but in all reality, that's what he should be looking for. :) — Karthik Rangarajan, Jul 25 '12 at 14:06

score 1 · Answer 1 · answered Jul 25 '12 at 07:27

1

The easiest approach -- no matter what your development environment is -- would be to set a session variable when the login gets posted and then have your servlet check for that particular value.

answered Jul 25 '12 at 07:27

thanassis

691
5
11

1

Sessions are **not** an effective way to prevent CSRF; the session will still exist even if another site causes a request on the original domain. – Ignacio Vazquez-Abrams Jul 25 '12 at 07:29

Simone · Answer 2 · 2012-07-25T07:40:44.813

0

Probably there are better ways, but something like this should do the work

if ($_SERVER["PHP_SELF"] == 'mydomain.com') {
    // do some stuff
} else {
    die "requests from external servers are denied!";
}

Also check this link for a good explanation about CSRF exploits and how to prevent them: http://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention

edited Jul 25 '12 at 07:40

answered Jul 25 '12 at 07:25

Simone

20,302
14
79
103

This might work only if the asker wants to limit the requests to the domain, not if he wants to prevent CSRF. – Karthik Rangarajan Jul 25 '12 at 14:05

score 0 · Answer 3 · answered Jul 25 '12 at 07:44

0

In the login page:

<input type='hidden' name='access' value='granted'/>

In the page your login form redirects

if(isset($_POST)&&($_POST['access']=='granted')){
session_start();
$_SESSION['access']='granted'
}

On every page you want to control(except login):

if ($_SESSION['access']!='granted'){
die "Request denied!";
}

answered Jul 25 '12 at 07:44

Martin

1,193
3
12
24

This won't work. The user can as easily spoof this variable if he wanted to. – Karthik Rangarajan Jul 25 '12 at 14:03
It may be md5('granted') to make the variable more complicated. Also may generate a referrer variable. And login error counter. – Martin Jul 26 '12 at 07:04

score 0 · Answer 4 · answered Jul 25 '12 at 15:29

You could issue some kind of one-time ticket into the login form page and check it later when the form submission is sent.

A simple example would be to set a flag in the session on login page request. Later when the form is submitted, you check whether the flag is set. If it is set, you allow the processing and unset it so it cannot be used again.

Note that this does only force requesting of the login form before submitting it. But it doesn’t prevent any kind of attacks like automated requests or Cross-Site Request Forgery attacks, if it’s that what you’re trying to accomplish.

score 0 · Answer 5 · answered Jul 25 '12 at 15:38

A quick'n'dirty solution is to track every form submit.

When you show the page with the form, you add a row in a database table:

submission_id | token | expire |

Then in the page you put (in a hidden field, or in the form's action) the submission_id.

When you receive the form's post, you can do all the checks you need (common are: only 1 submit for each submission_id, expire time)

prevent users from submitting requests other than application

5 Answers5