Javascript Hacking Forms (Security Concern)

[eluser]axpen[/eluser]
It came to my attention while watching the CodeIgniter blog tutorial.

Consider the following;

Code:

<?=form_open('blog/comment_insert');?>
<?=form_hidden('entry_id, $this->uri_segment(3));?>

Now this from the Firefox console;

Code:

forms[0].entry_id.value = insert your fictitious number here;

In this case that wouldn't be so bad, the worst you could do is comment on a closed (non-authenticated) post.

Does CodeIgniter have anything to prevent this other than using sessions? I know you could just download the file and change it too, but this way circumvents checking where the form url came from. So does that mean that the persistence of information using hidden fields days are gone if you want any level of security in your variables?

[eluser]Pascal Kriete[/eluser]
I would follow Yahoo's advice here and create a form token.

Code:

// Obfuscate the name a bit, and create a hash
form_hidden('e_uid, md5('something_totally_random_noone_will_guess'.$this->uri_segment(3)) );

// If you want to be very fancy
form_hidden('e_uid, $_SERVER['REQUEST_TIME'.md5($_SERVER['REQUEST_TIME'].$this->uri_segment(3)) );

Then in the backend you can create the same hash, and compare it to the POST value. For the second example you could even put a time limit on the form.

Beyond that, sessions are probably your best bet.

[eluser]axpen[/eluser]
Yeah that's what I thought, that sucks.

md5's and even sha1's are getting easier and easier to crack now with the advent of sites that reverse lookup, fortunately md5ing your md5's seems to stump em ;-), with a trade-off of redundancy.