SOS: PHP Form, secure popup

[iosoft]

I need to open a PHP form as a pop-up window when someone clicks a button.

Say, the main file is - Report.html
PHP form is - Form.php

I am calling the Form.php from Report.html using simple Javascript code -

var w=window.open("/form.php","", "width=400,status=yes,resizeable=no");

Question: How can I secure this Form.php can be accessed only by clicking that Button and not by directly entering the Form.php URL.

Current problem is that, if someone types http://mydomain.com/Form.php then the form is opening which I don't want..... may have some security risk.

 

[Arya]

<?php
if ($_SERVER['HTTP_REFERER'] == "http://domain.com/full_path_to_report.php")
{
  //Code to display the form content
}
else
{
    //Confuse the curious cat
    header("HTTP/1.1 404 Not Found");
    header("Status: 404 Not Found");
?>
<html>
 <head>
  <title>404 Page Not Found!</title>
  </head>
<body>.........</body>
</html>
<?php
}
?>

HTH

 

[iosoft]

MAN, you are a life-saver.

 

[Arya]

glad to be of help

 

[Safin]

Depending on your program i wouldn't be trusting that if i were you. HTTP_REFERRER is to please oneself that he has done something without deterring anyone who wants to exploit. It is set by user agent which leads it open to be exploited. Even worse if its disabled(many people do that) your users won't even know what is the problem with a 404 error.

If you want something foolproof, start a session on the request page and check the sessionid when the form opens. Its more programmatically, but its more "secure"

 

[nukeu666]

use sessions

just have to add a couple of lines on parent and child pages

 

[iosoft]

Let make it huge hyeah:

Before asking for help here in TE, I actually tried the PHP SESSION.

But not getting the value in the other child-page.

Details -

As you know, in the system, master.php is calling child.php as pop-up window. Like -

var w=window.open("child.php","Form", "width=400,status=yes,resizeable=no");

Now, I want to create a SESSION variable (say 'iosoft') in master.php and pass the value to child.php

in master.php -

if(!session_id()) session_start();

session_register('iosoft'); // optional, added for testing

$_SESSION['iosoft']="Hello World";

echo $_SESSION['iosoft']; // Testing: working OK

in child.php -

session_start();

echo $_SESSION['iosoft']; // printing BLANK

print_r($_SESSION); // printing 'Array()'

echo count($_SESSION); // printing '0'

I am not getting the value in master.php, but the session is registered in the session file under session directory -

iosoft|s:76:"Hello World";

!?!

 

[Arya]

var w=window.open("child.php?<?php echo htmlspecialchars(SID); ?>","Form", "width=400,status=yes,resizeable=no");

Try this...you need to pass the session id to next page

 

[iosoft]

I am printing the SESSION ID in both places, they have same code - 12a1aabaae8a84dcf73ec2fc88b4bd3a.

In child form -

session_id(strip_tags($_GET['sid']));

session_start();

echo "Session: ".$_SESSION["iosoft"];

print_r($_SESSION);

echo "
".count($_SESSION);

echo "ID:".session_id();

still $_SESSION["iosoft"] is empty..................... I am dieing.

 

[Arya]

will try it later this evening. if you make some progress lemme know.

 

[iosoft]

^ Thanks buddy.

Dear Friends and Arya,

I think I have solved the problem, not sure but will post the reason if I am sure.

Meanwhile, another small question

Whenever I am creating a SESSION in the Master.php, it is giving same SESSION_ID everytime.

How to solve this ?

 

[iosoft]

Yet not 100% sure why, but this code is working like :S

var w=window.open("child.php?<?php echo htmlspecialchars(SID); ?>"....

No no, not your fault, internet examples also use it.
My test system is also working on it, but when putting in the main file, its not working.

I changed to -

child.php?sid=<?php echo session_id();?>

and in child.php

session_id(strip_tags($_GET['sid']));
session_start();

SUCCESS :clap:

Thanks to ARYA, SAFIN, NUKEU :hap2:

 

[lokeshv]

just courious how you are checking both IDS are same ?

Thanks,

 

[Arya]

<?php echo session_id();?> on both pages

 

[lokeshv]

in ideal situation i dont think there should be any need to pass session_id in url .. make sure your browser is accepting cookies.

and session_id in url is itself a secuirty threat .. so avoid using it..if application have important data..n money is related somehow,otherwise its ok nobody will care to sniff session if its just a small apllication.

Thanks

 

[Safin]

in this particular case, sorry i may have confused you before, you should register the script in session register and then check the path in next page rather than checking the sessionid.(which you have to check but thats what would ensure the correct "entry path")

Having said that this looks like an overkill as this doesn't look like any important hackable application, or i may be wrong

 

[lokeshv]

in ideal case this code should work

master.php

$_SESSION[myvar]= 8900;

child.php

if(!isset($_SESSION[myvar]) && $_SESSION[myvar]!=8900){
header("location:master.php");
die;

}

 

[iosoft]

child.php

if(!isset($_SESSION[myvar]) && $_SESSION[myvar]!=8900){
header("location:master.php");
die;

}

Here, is the PROBLEM, yes, still problem....... :huh:

!isset($_SESSION[myvar]) is giving NULL is child.php
but giving correct value is master.php

Is there any problem associated with REGISTER GLOBAL ON/OFF !!!!!!

 

[lokeshv]

seems sessions are not working,

check your browser is accepting cookies, try to disable your firewall then try..
btw is this php on linux or windows ?

Thanks

 

[iosoft]

everything linux, SERVER(BSD), CLIENT(FC), FIREFOX.

BUT, session file is generating in the /tmp DIR.

Just not passing the value to client.php

Alternative to SESSION (fighting for 3 days... what if again error starts after final deployment) ?