NYCPHP Meetup

NYPHP.org

[nycphp-talk] Spoofing Forms

Chris Shiflett shiflett at php.net
Fri Feb 4 01:32:27 EST 2005


I saw a reference to this on another site:

http://education.nyphp.org/phundamentals/PH_spoofed_submission.php

Actually, I saw it quoted, and here is the part that was quoted:

--

One implementation would be to store the secret in the user's session:

    $secret = md5(time());
    $_SESSION['secret'] = $secret;

--

Yikes! That sure is a weak secret.

I'm sure the date for edits has passed, but would anyone mind if we
changed this to the following?

$secret = md5(uniqid(rand(), true));

Chris

=====
Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly     HTTP Developer's Handbook - Sams
Coming Soon                 http://httphandbook.org/



More information about the talk mailing list