1

Im testing a basic form in my localhost and my domain name server domainexample.com

And I need to authorize only the forms submitted in my site only domainexample.com

I made this prove

PHP CODE

<?php 

    if (isset($_POST['testEngine'])){

         $test=  $_POST['test'];

        echo $test;
     }
   //
   ?>

HTML FORM

<form method="POST" action="https://domainexample.com/form.php">
<input type="text" name="test" />
<input type="hidden" name="testEngine" />
<input type="submit" value="Search" />
</form>

Im realizing that, if I submit this form from my localhost, it executes in my server, how do I prevent this behaviour? thank you.

max
  • 97
  • 6
  • I think most sites which try to prevent this type of thing employ techniques such as [CSRF tokens](https://portswigger.net/web-security/csrf/tokens) – ADyson May 09 '20 at 22:05
  • 1
    Does this answer your question? [How to properly add cross-site request forgery (CSRF) token using PHP](https://stackoverflow.com/questions/6287903/how-to-properly-add-cross-site-request-forgery-csrf-token-using-php) – MatsLindh May 09 '20 at 22:06
  • 1
    This is called CSRF - in effect you generate a token server side that the client needs to resubmit to the server for the form to be valid. That way other users can't make random people submit valid requests to your server. – MatsLindh May 09 '20 at 22:07
  • @MatsLindh thank you for your approach, is this necessary working with sessions in order to make csrf tokens work? becaus is a real problem for me coding sessions outside the user normal login session. – max May 09 '20 at 22:08
  • 1
    you should generate a CSRF token in your session, also submit this token in the form as hidden input, when hit the submit button, the system may verify the session token with the submitted one – Houssem Cherif May 09 '20 at 22:29
  • 1
    @max You can have CSRF schemes that do not require a session; you can create a random value, then "sign" that random value using an HMAC and a secret key, then verify that the random value and signature is correct when the CSRF token is submitted again. It'll be easier to just store it in `$_SESSION`, but it's not necessary. – MatsLindh May 09 '20 at 22:37
  • _"is a real problem for me coding sessions outside the user normal login session"_ ...why, exactly? – ADyson May 10 '20 at 00:03
  • @ADyson because, I create a session during the register or the login process, before the user has created his own session. So, I create a session before the login, or before the register, and once the user is logged in this pre-user-session merges with the active user session. So several sessions. I just dont know – max May 10 '20 at 02:21
  • 1
    As far as PHP is concerned it's all one session. Sessions in PHP relate to the connection to a particular browser (implemented using cookies), not to a login. When the user logs in, you just add more variables to it, to indicate the login status. I think you're creating an artificial problem for yourself there – ADyson May 10 '20 at 06:47
  • ok, thank you, Ill figure it out – max May 10 '20 at 12:56

0 Answers0