2
I have a login form that sends data via post and would like to block the login via Curl. That’s possible?
1 answer
6
It is possible if you use a good engineering for Cross-Site Request Forgery (CSRF) Prevention.
Basically, your form will have a field where you store a token which has a lifespan and is validated at the url that receives the form. Curl will not know how to fill in the value of this field which is dynamic and generated during <form
Extremely simple example:
<?php
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
?>
<form action="controller.php" method="post">
<input type="hidden" name="token" value="<?php echo $token; ?>" />
<input type="submit/>
</form>
In controller.php:
<?php
if ($_POST['token'] == $_SESSION['token']){
/* Valid Token */
}
-
But in theory if he accessed the form page first, and picked up this token, he could log in without any problems ?
-
Yes, if you keep the same session. This way, the script needs to be more sophisticated. The next security step is to use Virtual Keyboard or Captcha
Browser other questions tagged php curl
You are not signed in. Login or sign up in order to post.
My answer worked for you?
– gpupo
Gave yes mano valeu :D, tbm am using http_reference.
– Leandro Costa
What solves in a really decent way is Recaptcha. Otherwise everything is possible to simulate via CURL. Recaptcha tb can be solved by robot, but it is much more difficult.
– Karl Zillner
And watch the filter for the referrer. It’s not that efficient to do that, the guy might have closed the browser and reopened by loading the page q was open. Or simply someone may have sent the link to him by email or some messaging app.
– Karl Zillner