Home/ Questions/Q 8922969
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T06:59:04+00:00

I have a php page that submits form to itself. I wanted to add

  • 0

I have a php page that submits form to itself.
I wanted to add a check where I can possibly stop basic cross site forgery.

my code:

<?php
session_start();

(...) //some code

$secret = substr(md5(uniqid(rand(), true)), 1, 2);
$_SESSION["secret"] = $secret;
$auth = $secret;

?>

(...)

<form id="form" name="form" action="<?php echo htmlentities($_SERVER[PHP_SELF]); ?>" method="post">

(...)

<input type="hidden" name="id" value="<? echo $auth; ?>" />

(...)

<?php

(...)

//as a debug I just tried to display
echo $_POST["id"];
echo "=";
echo $_SESSION["secret"];

(...)

?>
<div>
</body>
</html>

But both id and secret never returns the same value.
Why is that? What am I missing?

UPDATE

So, I tried an answer here by Samuel Cook, as also suggested by the comment of Jon Stirling:

if(!isset($_SESSION["secret"])){
    $secret = substr(md5(uniqid(rand(), true)), 1, 2);
    $_SESSION["secret"] = $secret;
    $auth = $secret;
}

But now if there is no $_SESSION["secret"]
The page returns:

<input type="hidden" name="id" value="" />

I understand why, its because secret is only being set if the session variable is present.
Any suggestions?

UPDATE

Moved the check before generating a new session key and is only checking if there is a post of id. works well now thanks.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    At the point when you debug code executes, the secret has changed:

    echo $_POST["id"]; // previous secret
echo "=";
echo $_SESSION["secret"]; // new secret

    As long as you do your check for a match at the beginning of the script (before generating the next secret) it will be fine.

    • 0