My XSRF Prevention code isn't working


Posted on 16th Feb 2014 07:03 pm by admin

First of all, thanks for the generous help you guys have given me in the past on this forum.
Second, I apologize in advance if my code is hard to read, most of it was done in a rush.

Here goes:

login.php
Code: <?php
// create anti-csrf cookie value
$hash = sha1(time().rand().strlen(rand()));
$hash = substr($hash, 0, 8);
if (isset($_COOKIE['xsrf[0]'])) {
$i = 0;
while (isset($_COOKIE['xsrf['.$i.']'])) {
$i++;
}
setcookie('xsrf['.$i.']', $hash, 0, '/citizen/', '.ch4n.net');
} else {
setcookie('xsrf[0]', $hash, 0, '/citizen/', '.ch4n.net');
}


?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Citizen - Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="default.css">
</head>

<body>
<div class="header"><?php include("menu.html"); ?></div>

<div class="body">

<?php if (!empty($_GET['errors'])): ?>
<ul>
<li><?php print implode("</li>nt<li>", explode(';', $_GET['errors'])); ?></li>
</ul>
<?php endif; ?>

<form name="login" action="login_process.php" method="POST">
<input type="hidden" name="xsrfi" value="<?php echo $i; ?>" />
<input type="hidden" name="xsrf" value="<?php echo $hash; ?>" />
<table cellpadding="1" cellspacing="1" id="login">
<tbody>
<tr class="username">
<th>Username</th>
<td><input type="text" id="username" name="username" maxlength="20" /><br /></td>
</tr>
<tr class="password">
<th>Password</th>
<td><input type="password" id="password" name="password" maxlength="20" /></td>
</tr>

</tbody>
</table>
<input type="submit" name="submit" value="Login!" />
</form>

</div>

</body>
</html>
login_process.php
Code: <?php
if ($_COOKIE['xsrf['.$_POST['xsrfi'].']'] !== $_POST['xsrf'] || !isset($_COOKIE['xsrf['.$_POST['xsrfi'].']'])):
$errors = "It appears you have been a victim of a browser attack! Please run a virus scan before continuing online activities.;".$_COOKIE['xsrf['.$_POST['xsrfi'].']'].";".$_POST['xsrfi'].";".$_POST['xsrf'];
setcookie('xsrf['.$_POST['xsrfi'].']', sha1($hash), time()-1, '/citizen/', '.ch4n.net');
header("Location: login.php?errors=$errors");
endif;
setcookie('xsrf', sha1($hash), time()-1, '/citizen/', '.ch4n.net');
require('authent.php');
$user = mysql_escape_string(htmlentities($_POST['username']));
$pass = mysql_escape_string(htmlentities($_POST['password']));

$passwordhash = hashPassword($pass);

if(table_exists("user_".$user, 's2zsl9rx_citizen')):
// Make a MySQL Connection
require('c2db.php');
mysql_select_db("s2zsl9rx_citizen") or die(mysql_error());

$result = mysql_query("SELECT * FROM user_$user WHERE type='001'")
or die(mysql_error());

$row = mysql_fetch_assoc($result);

if ($row['val'] == $passwordhash):
$value = $user.','.$row['val'].','.hashPassword(getip());
setcookie('citizeninfo', $value, time()+3600, '/citizen/', 'ch4n.net');
mysql_close();
header("Location: game.php");
else:
$errors = 'Username and/or password are incorrect'.$row['val'];
mysql_close();
header("Location: login.php?errors=$errors");
endif;


else:
$errors = 'Username and/or password are incorrect';
header("Location: login.php?errors=$errors");
endif;
?>
Any help at all would be very much appreciated

No comments posted yet

Your Answer:

Login to answer
265 Like 24 Dislike
Previous forums Next forums
Other forums

How to change Time Zone
HI
I want to change the time zone of the server to another country.How can do that?

Thanks

getting rid of quotes in strings
sick of trying to deal with them in multiple ways (entering in and taking from database, echoing, ec

While Problem
i am having a problem with a while statement here is the code
Code: [Select]<?php
sess

Async WSAConnect failed on XP with error code = 2 ("File not found")
Hi all,

I have very strange bug, please help me if you can.

It is reproduced o

help with calculations on a flat text file
hello,
I have this code below that is attached to a flat file like this:
Email:LastName:FirstN

Log $_POST
How would i log submits on a form, by everyone? I want to then echo the number of submissions.

Question about the upload of large files
Hi there,

I have a question about the upload of large files, like videos (files generally abo

PHP Error
On my .php page I have a drop down box that has several names in it. When a user clicks the name &am

Request.UrlReferrer
I need to make it so that a page can only be loaded when a button is clicked on a specific page. I d

SAP Treasury - Commodities
We are running SAP ECC 6.0 with Treasury Activated.
EA-FIN is also activated (SFW5).

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



 
© indyaspeak.com. All Rights Reserved.
Play Free Quiz and Win Cash