Make a Lasting Impression

Join the Mailing List

Who's Online

18 user(s) are online (16 user(s) are browsing Support Forums)

Members: 0
Guests: 18

more...
ImpressCMS proudly uses SourceForge
ImpressCMS on Ohloh.net





Forms vs secure forms
Home away from home
Joined:
2007/12/4 9:00
Posts: 1132
Can someone tell me what the difference is? I have no idea.

Posted on: 2012/7/1 1:05
Transfer the post to other applications Transfer


Re: Forms vs secure forms
Home away from home
Joined:
2007/12/4 9:00
Posts: 4106
Secure form adds a security token element to the form as a way to be sure the form submission came from the site and not an offline attack, similar to the way you can do a referrer check for the POST data.

Posted on: 2012/7/1 3:17
_________________
Steve
Twitter: @skenow
Facebook: Steve Kenow
Transfer the post to other applications Transfer


Re: Forms vs secure forms
Home away from home
Joined:
2007/12/4 9:00
Posts: 1132
So as a general principle, should I always use the secure one? Is there any circumstance where a normal form would be a better idea?

Posted on: 2012/7/1 3:57
Transfer the post to other applications Transfer


Re: Forms vs secure forms
Home away from home
Joined:
2010/2/12 23:04
From Germany
Posts: 679
I think, the token is used as a lookup of the time range to prevent spam/flood attaks. So it should be used in forms, which are public without or with less restrictions.

Posted on: 2012/7/1 16:31
Transfer the post to other applications Transfer


Re: Forms vs secure forms
Home away from home
Joined:
2007/12/4 9:00
Posts: 1132
Thanks.

Posted on: 2012/7/2 10:15
Transfer the post to other applications Transfer


Re: Forms vs secure forms
Home away from home
Joined:
2010/2/12 23:04
From Germany
Posts: 679
np one thing, if someone needs to know: if you're using $obj->getSecureForm() to get the form, don't forget to check, if the token is valid.

if(!icms::$security->check()) redirect_header(icms_getPreviouspage(), 3_YOUR_SECURITY_CHECK_ALERT);

if you don't use the default method and want to use the token method in your html form you can get the token field by

$token 
icms::$security->getTokenHTML();

in forms built with php:

$form
->addElement(new icms_form_elements_Hiddentoken());

in all cases add the security check in form action before saving the data. The token will be invalid if the token has expired.

Posted on: 2012/7/2 11:49
Transfer the post to other applications Transfer


Re: Forms vs secure forms
Home away from home
Joined:
2009/3/3 4:18
From Belgium
Posts: 1749
Two questions on this:
1. Could this security check be added to the class itself? It looks quite complicated what you have to do to perform an action that is a base functionality.

2. Can this be enhanced security-wise? I was thinking about a nonce.

Posted on: 2012/7/4 7:31
_________________
ImpressCMS.TV - Video Tutorials
d-log - My personal site

Me on Ohloh
Transfer the post to other applications Transfer


Re: Forms vs secure forms
Home away from home
Joined:
2010/2/12 23:04
From Germany
Posts: 679
1. why comlicated? If you are using the default ipf way, you just need to call $obj->getSecureForm() to render form with token and before calling "addobject" use the check.. that's it.. it's not really complicated All other I wrote was in case, someone likes to use the token method in non ipf forms.. (if the module isn't IPF based or if you need to add an html-form yourself.

Posted on: 2012/7/4 10:28
Transfer the post to other applications Transfer


Re: Forms vs secure forms
Home away from home
Joined:
2007/12/4 9:00
Posts: 4106
Quote:

fiammybe wrote:

2. Can this be enhanced security-wise? I was thinking about a nonce.


The token, when used, is session-specific and has an option to clear the token when successfully validated. See class icms_core_Security()

Posted on: 2012/7/4 23:22
_________________
Steve
Twitter: @skenow
Facebook: Steve Kenow
Transfer the post to other applications Transfer






You can view topic.
You cannot start a new topic.
You cannot reply to posts.
You cannot edit your posts.
You cannot delete your posts.
You cannot add new polls.
You cannot vote in polls.
You cannot attach files to posts.
You cannot post without approval.

[Advanced Search]