My XSRF Prevention code isn't working
Posted on
16th Feb 2014 07:03 pm by
admin
First of all, thanks for the generous help you guys have given me in the past on this forum.
Second, I apologize in advance if my code is hard to read, most of it was done in a rush.
Here goes:
login.php
Code: <?php
// create anti-csrf cookie value
$hash = sha1(time().rand().strlen(rand()));
$hash = substr($hash, 0, 8);
if (isset($_COOKIE['xsrf[0]'])) {
$i = 0;
while (isset($_COOKIE['xsrf['.$i.']'])) {
$i++;
}
setcookie('xsrf['.$i.']', $hash, 0, '/citizen/', '.ch4n.net');
} else {
setcookie('xsrf[0]', $hash, 0, '/citizen/', '.ch4n.net');
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Citizen - Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="default.css">
</head>
<body>
<div class="header"><?php include("menu.html"); ?></div>
<div class="body">
<?php if (!empty($_GET['errors'])): ?>
<ul>
<li><?php print implode("</li>nt<li>", explode(';', $_GET['errors'])); ?></li>
</ul>
<?php endif; ?>
<form name="login" action="login_process.php" method="POST">
<input type="hidden" name="xsrfi" value="<?php echo $i; ?>" />
<input type="hidden" name="xsrf" value="<?php echo $hash; ?>" />
<table cellpadding="1" cellspacing="1" id="login">
<tbody>
<tr class="username">
<th>Username</th>
<td><input type="text" id="username" name="username" maxlength="20" /><br /></td>
</tr>
<tr class="password">
<th>Password</th>
<td><input type="password" id="password" name="password" maxlength="20" /></td>
</tr>
</tbody>
</table>
<input type="submit" name="submit" value="Login!" />
</form>
</div>
</body>
</html>
login_process.php
Code: <?php
if ($_COOKIE['xsrf['.$_POST['xsrfi'].']'] !== $_POST['xsrf'] || !isset($_COOKIE['xsrf['.$_POST['xsrfi'].']'])):
$errors = "It appears you have been a victim of a browser attack! Please run a virus scan before continuing online activities.;".$_COOKIE['xsrf['.$_POST['xsrfi'].']'].";".$_POST['xsrfi'].";".$_POST['xsrf'];
setcookie('xsrf['.$_POST['xsrfi'].']', sha1($hash), time()-1, '/citizen/', '.ch4n.net');
header("Location: login.php?errors=$errors");
endif;
setcookie('xsrf', sha1($hash), time()-1, '/citizen/', '.ch4n.net');
require('authent.php');
$user = mysql_escape_string(htmlentities($_POST['username']));
$pass = mysql_escape_string(htmlentities($_POST['password']));
$passwordhash = hashPassword($pass);
if(table_exists("user_".$user, 's2zsl9rx_citizen')):
// Make a MySQL Connection
require('c2db.php');
mysql_select_db("s2zsl9rx_citizen") or die(mysql_error());
$result = mysql_query("SELECT * FROM user_$user WHERE type='001'")
or die(mysql_error());
$row = mysql_fetch_assoc($result);
if ($row['val'] == $passwordhash):
$value = $user.','.$row['val'].','.hashPassword(getip());
setcookie('citizeninfo', $value, time()+3600, '/citizen/', 'ch4n.net');
mysql_close();
header("Location: game.php");
else:
$errors = 'Username and/or password are incorrect'.$row['val'];
mysql_close();
header("Location: login.php?errors=$errors");
endif;
else:
$errors = 'Username and/or password are incorrect';
header("Location: login.php?errors=$errors");
endif;
?>
Any help at all would be very much appreciated
No comments posted yet
Your Answer:
Login to answer
265 
24 
Other forums
PHP Code reffering to database, doing something wrong.. pls help
Well i am quite new with PHP
and for school we have to make a PHP script which reffers to a Data
PHP If Else statement for breadcrumb
Hi
I am trying to use a PHP if else statement to display a breadcrumb link on wordpress
HELP with mysql_real_escape_string
I'm looking to remove apostrophes completely when someone enters lyrics but don't have a clue how to
Ignore html and bbcode?
I've created a function to limit the amount of text according to the amount of words.
However
how to load a Sys file with system load and call images?
normally you need register the module as a service with CreateService, and start the service
Error when call dll from oracle
Hi all, please help me!
I have dll write C language, I want call it from oracle procedur
Date/Time and Checkbox
Hi Everyone,
I am trying to figure out how to insert the current date and tim
Default TimeZone
The server I'm working with is hosted in America so all times inserted into the database are coming
Two fgetcsv related questions ;D
First of im trying to get a file from a merchants server but the directory is protected, I know the
unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_
Can anyone view my code and tell me why im getting the error:
Parse error: syntax error, unexpect
