Dear support team,
please help me in the following issue. I have a poll with custom login form.
On the next form I validate login and password and let me get UserID. In other forms I check userid and load data.
It's very easy to manipulate any form if you put id in the url. For example:
...m=frmTest&userID=10&event=submit
...m=frmTest&userID=12&event=submit
Is there a way to close the gap? I have tried with "MultiPage" in Load and Session To Data and Check Token — nothing happens.
Please help me.
Thanks!!!
please help me in the following issue. I have a poll with custom login form.
On the next form I validate login and password and let me get UserID. In other forms I check userid and load data.
It's very easy to manipulate any form if you put id in the url. For example:
...m=frmTest&userID=10&event=submit
...m=frmTest&userID=12&event=submit
Is there a way to close the gap? I have tried with "MultiPage" in Load and Session To Data and Check Token — nothing happens.
Please help me.
Thanks!!!
Hi Melgui,
I'm not sure exactly what the problem is but here's a suggested solution. I'd add a custom token to the user session on the first page - just a random string is enough; then check for this on the later pages. If there is a strict sequence then you can also save the last page number in the session and check that. If the user appears on the 'wrong' page then auto-rediect them back to the right one.
Bob
I'm not sure exactly what the problem is but here's a suggested solution. I'd add a custom token to the user session on the first page - just a random string is enough; then check for this on the later pages. If there is a strict sequence then you can also save the last page number in the session and check that. If the user appears on the 'wrong' page then auto-rediect them back to the right one.
Bob
Hallo Bob,
thank you for you replay.
Do you mean "Session key" with custom token or how I can create it?
For checking token you mean "Check Token Event"?
Thanks a lot.
What I do on each page:
Serverside Validation:
thank you for you replay.
Do you mean "Session key" with custom token or how I can create it?
For checking token you mean "Check Token Event"?
Thanks a lot.
What I do on each page:
Serverside Validation:
Hi Melgui,
I'd just do it with PHP - it's not quite the same as the Joomla! Check Token.
On the first Page On Load event add a Custom Code action:
In the following pages
Bob
I'd just do it with PHP - it's not quite the same as the Joomla! Check Token.
On the first Page On Load event add a Custom Code action:
<?php
$session =& JFactory::getSession();
$session->set('my_token', rand(1000, 9999));
?>In the following pages
<?php
$session =& JFactory::getSession();
$my_token = $session->get('my_token', '');
if ( !$my_token ) {
$mainframe->redirect('some_url');
}
?>Bob
Ok. I've did as you wrote but somthing is wrong. If I open another browser and
open: http://www.blabla.de/index.php/pol?lang=de&chronoform=frmForm4&UserID=10&event=submit
so I can see the form with loaded data.
Mmmm, help🙂
open: http://www.blabla.de/index.php/pol?lang=de&chronoform=frmForm4&UserID=10&event=submit
so I can see the form with loaded data.
Mmmm, help🙂
Hi melgui,
I missed a $ in this line of the code I posted
I don't know why you have wide boxes - I've never seen that before :-(
Bob
I missed a $ in this line of the code I posted
if ( !$my_token ) {I don't know why you have wide boxes - I've never seen that before :-(
Bob
This topic is locked and no more replies can be posted.
