PHP Form Key Niggle?

7

7331

New Member
Can someone look at my two functions below and suggest what i can do?, i have created two functions that basically creates a unique key and this is echoed in a hidden field in a form and then straight after i check if the form has been submitted the second function checks to see if the key in the hidden field matches the key in the session. Problem i am having is now and again it just redirects me to to the forbidden page suggesting the keys don't match although i have not edited the form key delibrately using my firefox web dev tools to test.I am not sure if it's a cache issue or not, can anyone see if there is something that i am missing out or could improve on ? , it only happens now and again, for example if i submit the form a few times it may then just go to the forbidden page which suggests the key in hidden field did not match the key in the session, although i see nothing wrong with my two functions, i obviously want to try and solve this as i rather not have people emailing me saying they are having such problems. Here is my first function, this creates a unique key and this is echoed out in a hidden field in the form. I also have a time limit on how long a user has to submit the form but i have commented that out as of now because it seems to happen more often when enabled.function GenerateFormTokenHash($token){ $token = $_SESSION['token'] = md5(uniqid(mt_rand(), true)); //$token_time = $_SESSION['token_time'] = time(); return htmlspecialchars($token); //return $token_time;}To use the function above i simply echo GenerateFormTokenHash($token); in a hidden called token.The function below is used straight after i check if the form has been submitted.# Form Token Hash Validatorfunction IsValidFormTokenHash(){ /*global $websiteaddress; $token_age = time() - $_SESSION['token_time']; if($token_age >= 300) { echo 'Session Expired'; echo 'This form has now expired. '; echo 'Please click here to go back to the form.'; $_SESSION = array(); setcookie(session_name(), '', time()-42000, '/'); # Destroy the session session_destroy(); # Generate new seesion id session_regenerate_id(true); exit; }*/ if(isset($_POST['token']) && $_POST['token'] != $_SESSION['token'] || !isset($_POST['token']) || !isset($_SESSION['token'])) { $_SESSION = array(); setcookie(session_name(), '', time()-42000, '/'); # Destroy the session session_destroy(); # Generate new seesion id session_regenerate_id(true); redirect("/error/forbidden.php"); exit; }}Again that function is in my functions.php file so after i check if form has been submitted i simply call the function as follows:if(isset($_POST['submit'])) { IsValidFormTokenHash();}So i am basically trying to work out why sometimes now and then it just thinks the session key and key in hidden field does not match, maybe a cache issue or something i can do to ensure it works properly?Thanks for any help.Thank you,PHPLOVER
 
You must log in or register to reply here.
Back
Top