-1

Ok, so it seems someone had this issue already, but I don't see how the answer would apply to me. I didn't find any tag misplaced in my coding. My token is set once I arrive on the index.php, but it changes ones it goes to the validate.php. I had it working in the morning but then came back to it to make sure I had it right so I could load it up, I am behind schedule on my work because of this, and now it doesn't work. I had all coding in the same index.php, using if(!isset(session)) set sec_token, but for some reason it stoped working. Then I split it into these files to clear it up, and it still didn't work.

What am I doing wrong, or how can I find the bug to prevent this from happening? -The Token Changing that is- I've tried all other answers, and none worked. I would be pleased if I get some help, Thank you in advance.

PHP session variable changes between pages

//index.php

<?php
session_start();

//in this file I have the random_text(); function nothing else

require_once 'token.php';

//setup a token variable

$token = random_text();

//Session now will have the token

$_SESSION['sec_token'] = $token;

//Now token will be display

echo $_SESSION['sec_token'];
?>

HTML CODE STARTS -->

<!DOCTYPE HTML>
<HTML>

<HEAD>
<title>Token</title>
</HEAD>

<BODY>
<HEADER style="text-align:center;">
<h1>Token</h1>
</HEADER>

<main>
<div style="text-align:center;">

validate.php is where we have the validation of token. -->

<form action="validate.php" method="POST">
<h2>enter what ever</h2>

<input type="text" name="info"><br><br>

<button type="submit" name="test" style="display:inline-block;">Test 
Token</button>
<div style="width:2.5%; display:inline-block;"></div>

Here is the hidden input with the token being placed -->

<input type="hidden" name="token" value ="<?php echo $token; ?>">
</form>

</div>
</main>

<FOOTER>
</FOOTER>

</BODY>
</HTML>

//validate.php

<?php
session_start();

//This would echo the token again to make sure stayed the same.

echo $_SESSION['sec_token'];

//Here we set the safety variable $valid = FALSE;

//Here it makes sure that session token is set and the post token

if(isset($_SESSION['sec_token']) && isset($_POST['token']))
{
if($_SESSION['sec_token'] == $_POST['token'])
{
$valid = TRUE;
}

//if false it would destroy sesion, you could skip this if you like.

if($valid == FALSE)
{

//Unset all of the session variables.

session_unset();

If it's desired to kill the session, also delete the session cookie. Note: This will destroy the session, and not just the session data!

if (ini_get("session.use_cookies")) 
{
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]);
}

Finally, destroy the session.

session_destroy();
$_SESSION = array();
exit("<h1>This Web-Site keeps track of IP Address, and attempts 
against it!<br> An Alert has been Sent, and it will be investigated! 
</h1>");
}

//If True, Then It should do the Transaction!

elseif($valid == TRUE)
{
echo $_POST['info'].'<br>';
echo 'It Worked!'
}
}
}
Cœur
  • 37,241
  • 25
  • 195
  • 267
DMaster
  • 1
  • 4
  • Possible duplicate of [How to properly add CSRF token using PHP](https://stackoverflow.com/questions/6287903/how-to-properly-add-csrf-token-using-php) – lotfio Mar 27 '18 at 22:55
  • post both file (whole) on pastebin for easier debugging. – Karlo Kokkak Mar 27 '18 at 23:30
  • This is the linkg to pastebin for with all the three .php docs Let me know if see something i don't see. [link](https://pastebin.com/SPyBpqeJ) @Karlo Kokkak I believe I mention that I had it that way, but it stopped working. Also try the count request.. I get only one.. such as 1,2,3 I even place else if my token is being produced by `if(!isset($_SESSION['sec_token']))` set sec_token, and Somehow it jumps it and still gives me a token value. I made sure it was all destroyed and it still didn't do the job. @Lotfio Lakehal – DMaster Mar 28 '18 at 00:39
  • Replace index.php with this: https://pastebin.com/h3aFZPvv – Karlo Kokkak Mar 28 '18 at 01:32

1 Answers1

0

Thank you both of you for helping me, but I notice that my count most of the time started with a 1, and once in a while it would start with a 0 value as it arrived into the page. When it starts with a count of 0, it works just fine, but when it starts with a 1 is when the error pops up. But from there on the count continue 1,2,3,4... But I also notice during multiple runs, the Token of the session didn't change at all during after the 1 count. So, That explains why How to properly add CSRF token uses the else statement for this. It is a catcher of such bug. So once you arrive, if is not a 0 count on the page, then the else would catch it. If it is a 0 your first count. Then it should work just fine, and the else statement gets ignore. So, I just went used the catcher. "else"

I would of prefer to really know why would go to 1 count, instead of starting at 0... Whatever... Thank you anyway and sorry for your time.

DMaster
  • 1
  • 4