Forums

ChronoForms v8 is now WordPress ready, ChronoMails is out

Multi Page with custom login—how to protect forms correctly

Melgui 21 Mar, 2012

Dear support team,

please help me in the following issue. I have a poll with custom login form.
On the next form I validate login and password and let me get UserID. In other forms I check userid and load data.
It's very easy to manipulate any form if you put id in the url. For example:

...m=frmTest&userID=10&event=submit
...m=frmTest&userID=12&event=submit

Is there a way to close the gap? I have tried with "MultiPage" in Load and Session To Data and Check Token — nothing happens.
Please help me.

Thanks!!!

GreyHead 21 Mar, 2012

Hi Melgui,

I'm not sure exactly what the problem is but here's a suggested solution. I'd add a custom token to the user session on the first page - just a random string is enough; then check for this on the later pages. If there is a strict sequence then you can also save the last page number in the session and check that. If the user appears on the 'wrong' page then auto-rediect them back to the right one.

Bob

Melgui 21 Mar, 2012

Hallo Bob,
thank you for you replay.
Do you mean "Session key" with custom token or how I can create it?
For checking token you mean "Check Token Event"?

Thanks a lot.

What I do on each page:

Serverside Validation:

GreyHead 21 Mar, 2012

Hi Melgui,

I'd just do it with PHP - it's not quite the same as the Joomla! Check Token.

On the first Page On Load event add a Custom Code action:

<?php
$session =& JFactory::getSession();
$session->set('my_token', rand(1000, 9999));
?>

In the following pages

<?php
$session =& JFactory::getSession();
$my_token = $session->get('my_token', '');
if ( !$my_token ) {
  $mainframe->redirect('some_url');
}
?>

Bob

Melgui 21 Mar, 2012

Ok. I've did as you wrote but somthing is wrong. If I open another browser and
open: http://www.blabla.de/index.php/pol?lang=de&chronoform=frmForm4&UserID=10&event=submit
so I can see the form with loaded data.
Mmmm, help🙂

Melgui 21 Mar, 2012

Each page looks as following:

GreyHead 21 Mar, 2012

Hi melgui,

I missed a $ in this line of the code I posted

if ( !$my_token ) {

I don't know why you have wide boxes - I've never seen that before :-(

Bob

Melgui 22 Mar, 2012

Yuuuhu! Thanks. It works. An additionally that brings me to idea to compare userid from session with user id in postback. So i do double check. And this is enough to do what i need.
Thanks for you helping!

This topic is locked and no more replies can be posted.