0

I've been testing out some forms I've been building and I recently implemented token comparison for additional security. Here is the code for the token comparison:

On the form itself: 

session_start();
$token = md5(uniqid(mt_rand(), true));
$_SESSION["token"] = $token;
session_write_close();

Then on the processing form:

session_start();
$token = "";
$token = $_SESSION['token'];
unset($_SESSION['token']);
session_write_close();

if(empty($token)) {
    echo htmlspecialchars('An error has occurred. Please resubmit.');
//  header( "refresh:3; url=website" );
    die();
}

if($_POST['token'] != $token) {
    echo htmlspecialchars('An error has occurred. Please resubmit.');
//  header( "refresh:3; url=website" );
    die();
}

The token is stored in the form like so: 

<input type="hidden" name="token" value="<?php echo $token;?>"/>

The first time I fill out the form and submit it I always get a token error. However after some testing I realized the problem only occurs when I first start the server (WAMP). After the first initial submission, everything seems to work just fine. Here are some test comparisons I've done:

http://imgur.com/yMeV6QJ,z3VLgi0#0

So the main issue is: When I restart the server, the token comparison seems to fail. After the first initial submit of the form (which is the failure) everything seems to work fine until I exit the server and start it back up again. Why is this happening?

The code that I am using is a modified version of the code posted by @leeppowers in this thread: thread

Community
  • 1
  • 1
ckmartin
  • 41
  • 1
  • 8
  • Which failure block does it go in to? Also why this `$token = ""; $token = $_SESSION['token'];` Just once is enough. – Daan Sep 26 '14 at 14:22
  • @Daan I think it goes into the second block because I was able to echo a second token shown in the pictures. Also I have to set `$token = "";` otherwise I get errors for some reason. It wasn't working when I just tried `$token = $_SESSION['token']`. I'll do some more testing. EDIT: Yeah, its the second block. – ckmartin Sep 26 '14 at 14:25
  • Remove `session_write_close()` – Daan Sep 26 '14 at 14:27
  • Do I remove it in both files? I tried it with just the processing file and it is still failing at the second block. – ckmartin Sep 26 '14 at 14:29
  • Yes try to remove it in both. – Daan Sep 26 '14 at 14:30
  • Also add this line of code `var_dump($_POST['token'], $token);` above `empty($token)` and show it to me. No can't be the unset. – Daan Sep 26 '14 at 14:31
  • Okay, I think removing the `session_write_close()` worked. I accidentally forgot to remove it on the form I was testing (I have two forms). Should I still put in the code you posted above? – ckmartin Sep 26 '14 at 14:33
  • No need if it's solved it's solved :) – Daan Sep 26 '14 at 14:34
  • @Daan Awesome! Thank you so much :)! I wonder why the `session_write_close()` was the issue. I just didn't want my forms to give people token errors every time they visited them for the first time, if that would even happen. – ckmartin Sep 26 '14 at 14:35

0 Answers0