Why do you need a nonce to verify a form with a PHP SESSION? -
i trying verify form sent same server.
i read random token can selected , added form hidden field , added session. php file can validate request sent site comparing token in post info 1 in session.
my question is, why need generate random token @ all? can not set variable in session in form page, check see if variable set in php file , unset it?
the #1 reason using such token prevent csrf attacks. #2 reason prevent user accidentally submitting same form twice.
to elaborate on #1, if set session variable says user visited page, can faked. example, imagine malicious webpage contains <img src='http://example.com/path/to/form.php' /><script>malicious javascript post form data</script>. image simulate user visiting form , set session variable. malicious javascript silently submit form info site , you'll have no way of verifying if actual user or attacker.
using simple session variable might prevent issue #2, nil mitigate csrf attacks.
php forms validation session
No comments:
Post a Comment