Security Token?

kokjj87 · 12-11-2008, 05:56 AM

Hi, i am trying to come up with a security token system for all my
form, normal approach would be setting a token and put it in to the
session whenerever the user request a new page.

$_SESSION['token'] = random string here.

The problem is, the string would be overwritten everytime when a user
request a new page.
But it is common now for people to open up a few tab for a website.
And it would cause the token to expire, and cause the last few tabs
you open to fail the security token check.

Is there a better soultion?

Tanax · 12-11-2008, 06:57 AM

I have no idea, but how about:

PHP Code:


			
if($_SESSION['token'] == '')
{
       $_SESSION['token'] = 'random string';
}

that way, the token is only generated if the user don't already have a token.
But I'm not sure if this would actually work as a security then.

kokjj87 · 12-11-2008, 08:01 AM

Maybe i can add a timer for my session...

$_SESSION['token_created_time'] = //time of the token created

and check on the request, and update the token value, in about every 20minutes.
But still worried that people visit the page on the 19th minutes, and they will have trouble with the token.

I am still trying to think of a more complex way, maybe store a array of the last few tokens in the session? and they are allow to by pass the security check?

Any comment would be greatly appreciate.