Securing forms

[eluser]Bramme[/eluser]
Hello everybody

I'm working on a new, rather large project. Security is a big concern and I'm trying to do as much as possible to make it as secure as possible.

I remember I once read that you can protect forms by making a hash of microtime() (or something like that), including that in a hidden input field and check against it.

But tbh, I don't really remember how it worked, however it got me thinking:

What if I were to make a hash of say time().microtime(), store it in a flashvar, put it in the hidden input and then check against it when processing the form.

The form will be processed by Ajax. Does this actually add extra security or shouldn't I bother?

[eluser]tomcode[/eluser]
Makes only sense to me if You have that unique value also stored on the server so You can check against, easiest would be to use db based sessions, but excludes session disabled browsers.

[eluser]bretticus[/eluser]
[quote author="Bramme" date="1251378178"]Hello everybody

I'm working on a new, rather large project. Security is a big concern and I'm trying to do as much as possible to make it as secure as possible.

I remember I once read that you can protect forms by making a hash of microtime() (or something like that), including that in a hidden input field and check against it.

But tbh, I don't really remember how it worked, however it got me thinking:

What if I were to make a hash of say time().microtime(), store it in a flashvar, put it in the hidden input and then check against it when processing the form.

The form will be processed by Ajax. Does this actually add extra security or shouldn't I bother?[/quote]

It's called clickjacking and ajax gives you no extra security. If an attacker can inject something into the dom or load that website into an iframe, they can alter the dom and trick you to click on something you didn't intend. Really, the best way to secure your website is to do simple things like always prompting for the old password before allowing a new one to be set, etc.

I've heard of people hashing timestamps and storing them in the session and in a hidden form on the form page to ensure that the post is coming from the form that was loaded from the server. But I can't see why javascript could not read that hidden field and pass it through as well.

[eluser]elvix[/eluser]
do a search (here or google) for CSRF. someone's already created a lib for this -- no sense reinventing the wheel .

they extended the input class so it happens cleanly and transparently. there's also a helper function for inserting the token into ajax calls (look for this at bottom of lib, don't think it's documented that clearly).

[eluser]bretticus[/eluser]
[quote author="elvix" date="1251440148"]do a search (here or google) for CSRF. someone's already created a lib for this -- no sense reinventing the wheel .

they extended the input class so it happens cleanly and transparently. there's also a helper function for inserting the token into ajax calls (look for this at bottom of lib, don't think it's documented that clearly).[/quote]

Nice tip!

Reading through it I see that the name of the hidden field name is also random. That makes a lot more sense to me. However, there is still a weakness that can be exploited, the hidden field will always have the same index when you iterate over the DOM. Perhaps, you could slightly modify this to put a random number of these hidden fields in the document and pick one at random (and completely switch it up on the next post. Which I'm sure this helper already does.)

I would still approach security issues on this by always asking the question, "How would I want this to work if I stepped away and a stranger took my seat?"