3

I have come across a huge issue on my website that I have spent months and months working on. The issue being the fact that users are able to use tools like firebug and other similar methods to change the HTML of my website. The issue is that if a user changes a part of forms, they could change who the message/post/etc.. goes to.

I currently have comments, messsages, posts and other forms for the most part set up like this (as far as sending user information to use:

 <form rel="1"></form>

I use the rel as a place to store the userID that the content is going to. So this would go to the user with the ID of 1. The problem then is if the user changes this in the html to like 5, then submits the form it will then go to user 5. How would it be possible to double check this when the information gets to the server so it wouldn't go through if it has been changes or whatever.

The only thing I can think of is hashing the users ID or something and storing that value in the rel. This wouldn't solve the issue, however it may make it a little more difficult for someone to figure it out.

Dylan Cross
  • 5,918
  • 22
  • 77
  • 118

2 Answers2

2

Store the user ID in a session. Relying on important things like that from user input is a terrible idea.

session_start();
$_SESSION['user'] = array();
$_SESSION['user']['id'] = $result_set['id']; // or however else you may have retrieved their UID
$_SESSION['user']['name'] = $result_set['username']; // STORE ALL THE VARIABLES!!!
David Harris
  • 2,697
  • 15
  • 27
  • Thanks, that's a good idea. I had also thought about using sessions as well, which would work fine in some cases, however to give you a little bit of understanding, my website is a social network similar to facebook, so how would I go about doing this with like commenting forms when there are say 20 or more posts on a page in a news stream type of thing? – Dylan Cross Dec 31 '12 at 18:07
  • Using a session should be perfectly fine for that situation. – David Harris Dec 31 '12 at 18:10
  • Well I guess I was just wondering how I would gather all of the information for each post, but I guess it would be as simple as just having it create a new SESSION as it prints out each of my posts and whatever else I have for content right? I guess I was always thinking that would be overkill for having a number of sessions at the same time. Something like this would be fine thought right? `$_SESSION['postID']['userID']` – Dylan Cross Dec 31 '12 at 18:14
  • Why would you need to put the user ID in a separate session for each post? – David Harris Dec 31 '12 at 18:21
  • Well I actually probably wouldn't. The main information would be just the postID, for form responses I suppose. – Dylan Cross Dec 31 '12 at 18:23
  • That could cause issues. What if the user opens multiple pages and wants to comment on them all later on? That type of data CAN be used in the HTML form. Just make sure to validate it! – David Harris Dec 31 '12 at 18:24
  • Well, I'm not sure if you understand my question then? The form above isn't storing the users id of the user that is logged in, I have that already stored in sessions. The data above can be either a postID, a userID, a messageID etc of what someone is commenting on, posting to, or sending a message to. My issue along as been how would I validate that information to make sure that the information hasn't been changed – Dylan Cross Dec 31 '12 at 18:30
  • I do understand it, but I'm saying, if you store something like that using only one session, once a new one is created (I assume once you go to comment on something), it is overridden. Am I missing anything? Is the user ID we're talking about right now the user who is commenting, or the user he's commenting towards? – David Harris Dec 31 '12 at 18:32
  • The userID would be the userID one is posting towards. That would be how a post would go though. However when a user comments on a post, it would go to the postID. – Dylan Cross Dec 31 '12 at 18:59
0

you should consider doing this

  1. user id and user should be stored in clear
  2. password should be hashed with SHA and a salt, the salt should be equal in length in relation to the length of the SHA hash (256, 512, etc)
  3. use a session key , a random string stored on the server and in $_SESSION , if $_SESSION['userid'] matches database userid and $_SESSION['session_key'] matches database session_key , it's secure
  4. use an expire timer on your session , store the timevalue at which the session should expire , always check if your session is valid or if it expired
  5. no auth data should be stored as plain html in any DOM element, it should be stored in sessions or worst case cookies
cristi _b
  • 1,783
  • 2
  • 28
  • 43
  • Sessions are destroyed upon site exit, why would you need a timer? – David Harris Dec 31 '12 at 18:09
  • in case he keeps his browser open for let's say 1 hour ... forgets he is logged in your app ... someone else sits as his computer and has access to his data, don't think that users will always close their browsers – cristi _b Dec 31 '12 at 18:10
  • Oh right, there's people that still don't close things when they leave the computer. How unfortunate. – David Harris Dec 31 '12 at 18:11
  • also, further documentation is available on owasp or here http://stackoverflow.com/questions/328/php-session-security or http://stackoverflow.com/questions/1590103/how-to-implement-php-login-or-authentication-session – cristi _b Dec 31 '12 at 18:14