My XSRF Prevention code isn't working
Posted on
16th Feb 2014 07:03 pm by
admin
First of all, thanks for the generous help you guys have given me in the past on this forum.
Second, I apologize in advance if my code is hard to read, most of it was done in a rush.
Here goes:
login.php
Code: <?php
// create anti-csrf cookie value
$hash = sha1(time().rand().strlen(rand()));
$hash = substr($hash, 0, 8);
if (isset($_COOKIE['xsrf[0]'])) {
$i = 0;
while (isset($_COOKIE['xsrf['.$i.']'])) {
$i++;
}
setcookie('xsrf['.$i.']', $hash, 0, '/citizen/', '.ch4n.net');
} else {
setcookie('xsrf[0]', $hash, 0, '/citizen/', '.ch4n.net');
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Citizen - Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="default.css">
</head>
<body>
<div class="header"><?php include("menu.html"); ?></div>
<div class="body">
<?php if (!empty($_GET['errors'])): ?>
<ul>
<li><?php print implode("</li>nt<li>", explode(';', $_GET['errors'])); ?></li>
</ul>
<?php endif; ?>
<form name="login" action="login_process.php" method="POST">
<input type="hidden" name="xsrfi" value="<?php echo $i; ?>" />
<input type="hidden" name="xsrf" value="<?php echo $hash; ?>" />
<table cellpadding="1" cellspacing="1" id="login">
<tbody>
<tr class="username">
<th>Username</th>
<td><input type="text" id="username" name="username" maxlength="20" /><br /></td>
</tr>
<tr class="password">
<th>Password</th>
<td><input type="password" id="password" name="password" maxlength="20" /></td>
</tr>
</tbody>
</table>
<input type="submit" name="submit" value="Login!" />
</form>
</div>
</body>
</html>
login_process.php
Code: <?php
if ($_COOKIE['xsrf['.$_POST['xsrfi'].']'] !== $_POST['xsrf'] || !isset($_COOKIE['xsrf['.$_POST['xsrfi'].']'])):
$errors = "It appears you have been a victim of a browser attack! Please run a virus scan before continuing online activities.;".$_COOKIE['xsrf['.$_POST['xsrfi'].']'].";".$_POST['xsrfi'].";".$_POST['xsrf'];
setcookie('xsrf['.$_POST['xsrfi'].']', sha1($hash), time()-1, '/citizen/', '.ch4n.net');
header("Location: login.php?errors=$errors");
endif;
setcookie('xsrf', sha1($hash), time()-1, '/citizen/', '.ch4n.net');
require('authent.php');
$user = mysql_escape_string(htmlentities($_POST['username']));
$pass = mysql_escape_string(htmlentities($_POST['password']));
$passwordhash = hashPassword($pass);
if(table_exists("user_".$user, 's2zsl9rx_citizen')):
// Make a MySQL Connection
require('c2db.php');
mysql_select_db("s2zsl9rx_citizen") or die(mysql_error());
$result = mysql_query("SELECT * FROM user_$user WHERE type='001'")
or die(mysql_error());
$row = mysql_fetch_assoc($result);
if ($row['val'] == $passwordhash):
$value = $user.','.$row['val'].','.hashPassword(getip());
setcookie('citizeninfo', $value, time()+3600, '/citizen/', 'ch4n.net');
mysql_close();
header("Location: game.php");
else:
$errors = 'Username and/or password are incorrect'.$row['val'];
mysql_close();
header("Location: login.php?errors=$errors");
endif;
else:
$errors = 'Username and/or password are incorrect';
header("Location: login.php?errors=$errors");
endif;
?>
Any help at all would be very much appreciated
No comments posted yet
Your Answer:
Login to answer
265 
24 
Other forums
Help to integrate whois Domain Details to website
Hi,
can i know is their any php script r methods to add domain details to my website.
IP question
ive got 2 ip addresses both global from same user how would i detect if they are local to each other
Table colours fail when extra row added
Hey Gurus,
I got a weird problem with formating the colour of a table made in php. Everything
Is STL important?
I'm just starting programming and I've made it until the Standart Template Library. But the chapter
Warning: mysql_num_rows() expects parameter 1
When i add quote at the end of this link
example:http://localhost/articlemania/category.php?cid=3
Problem with PHP code- simple contact form
I'm relativily new to PHP; I know HTML and CSS stuff but I have a problem- I have a contact form wit
Schedule editor
Hi,
I have a question related to Schedule editor.
If we schedule a BLS for every 30
Problem!
I have another problem, when i run this code i get this error "Parse error: syntax error, unexp
When i am Canseling the Billing Document in VF11 I am getting Shortdump
Hi Experts
When i am Canseling the Billing Document in VF11 I am getting Shortdump.
Socket Server Response Headers
Earlier I had a post about my Socket Server, I wasn't able to get it to connect, now I can
I
