PHP $_SESSION Form Token Problem ?

Question

phplover 0 Junior Poster in Training

13 Years Ago

Hi,

I basically have two functions; the first one below GenerateFormTokenHash() is placed in a hidden field on my form and echoed out in the hidden field plus it stores the token in a session called token.

The second function below IsValidFormTokenHash() is called straight after the check is made to see if form is submitted.

Problem:

Although the session token matches the hidden field token it still echoes out that the session token and hidden field token does not match althou when i echo them out they do match, plus i manually check the session file and it matches.

/* Form Token Hash Generator
This function is called in the hidden text form field
and stores the unique token in a session
*/
function GenerateFormTokenHash()
{
  $token = $_SESSION['token'] = sha1(uniqid(time().mt_rand().$_SERVER['REMOTE_ADDR'], true));
  return htmlspecialchars($token);

}


/* Form Token Hash Validator
This function is called straight after the check is made to see if form has been submitted
*/
function IsValidFormTokenHash()
{

        if($_POST['token'] != $_SESSION['token'])
        {
            $_SESSION = array();
            setcookie(session_name(), '', time()-42000, '/');
            # Destroy the session
            session_destroy();
            # Generate new seesion id
            session_regenerate_id(true);
            # Display Message (TESTING)
            echo '<h1>SESSION TOKEN DOES NOT MATCH</h1>';
        }
}

I am very confused at what is happening. Anyone know what could be the cause?

Thanks
PHPLOVER

php

Edited 13 Years Ago by phplover because: n/a

2 Contributors
5 Replies
227 Views
19 Hours Discussion Span
Latest Post 13 Years Ago Latest Post by phplover

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

techRobo -1 Newbie Poster · Answer 1 · 2011-02-20T09:22:52+00:00

Hi,
I want to see the first line of your code.

phplover 0 Junior Poster in Training · Answer 2 · 2011-02-20T09:29:16+00:00

Hi,

Thats a bit difficult as those functions are an include file and is the first thing to be included before any other code. Also if i remove the session destroy etc and just leave the echo output in second function it still says the same thing. I have all php errors on to and don't get anything back, i also tried with ob_start() and still the same.

Thanks,
PHPLOVER

techRobo -1 Newbie Poster · Answer 3 · 2011-02-20T10:11:05+00:00

ob_start() should work... please try with session_start(); & put it before your code begin, i mean "session_start();" should be you first line of your code...

phplover 0 Junior Poster in Training · Answer 4 · 2011-02-20T18:12:22+00:00

Hi,

It already is the first line of code without any spaces, newlines etc.

Thanks
PHPLOVER

phplover 0 Junior Poster in Training · Answer 5 · 2011-02-20T21:57:17+00:00

Hi,

Just to let you know i have tracked the problem with some slight wierdness. Please read on.

It seems the problem was actually being caused in Chrome. There is an addon for Chrome called Webug, after disabling all addons and re-nabling one by one it seems that this Chrome addon causes the page to either load twice or alters the token. When i disable it i have no problems at all and the sessions match but when the addon is enabled the session token does not match the form token.

I submitted an issue bug to the developer but still not sure what to do because:

I created a sample form added the session_start(); then the two functions then the form processing code and the form itself in one file and tried it with the addon enabled and disabled in Chrome and the session token always matches the form hidden token like it should yet the same code in my website on local must be conflicting with the addon when enabled as my hidden form token does not match the session token. So i have came to the conclusion after hours and hours of debugging that the extension is conflicting with my code somewhere.

I am not sure if i should worry about this as when the addon is disabled it works fine but when enabled the session token and hidden field token does not match, it's deifinately conflicting with my code but i obviously cannot and won't know what the addon is conflicting with. I mean when my site goes live if people uses chrome and have the Webug addon enabled they will have problems with my site. The addon must be conflicting with other php code in my site causing the problem.

Some may say it's my code but i mean how can a addon conflict with my php code, to me it's the addon not my code as my code works in any other browser? , i have tried and thought how i can change my code to solve the issue but i don't know what the addon is conflicting with and i have tried numerous ways to try and solve it but can't.

I could just remove form tokens all together but i wanted to use them to stop form forgery.

anyone suggest what i should do?

Thanks
PHPLOVER