the technique seems to work on my PHP 4 server. Try the following
procedure.
1. Verify PHP Configuration
make a simple php page that gets information about your server. If
you are worried about security delete this page after you've used it!!
-------------------------------------------------------------------------------
<?php phpinfo() ?>
-------------------------------------------------------------------------------
In the "Session" section, verify it says "Session Support: Enabled"
In the list of directives look at "session.auto_start". If this is
"Off", you will require session_start(); at the start of your php
pages.
2. Token Creation
create a php form
-------------------------------------------------------------------------------
<?php
session_start();
$_SESSION['token'] = uniqid(md5(microtime()), true);
?>
<html>
<head></head>
<body>
<form id= "search_form" method="get" action="testphp.php">
<input type="hidden" name="token" value="<?php echo
$_SESSION['token'] ?>" />
<input type="text" name="name" value="" maxlength="256"
size="50" /
>
<input type="submit" value="Search" />
</form>
</body>
</html>
-------------------------------------------------------------------------------
and view the source to ensure it contains the token (and maybe php
session)
<input type="hidden" name="PHPSESSID"
value="8c253b566571cb8c47e19c2037470878" />
<input type="hidden" name="token"
value="28da62665aa59f2aac9fb14fbb9af4fb48e7216117fba0.52467232" />
3. Valid Token processing
create testphp.php
-------------------------------------------------------------------------------
<?php
session_start();
// get token variables
$token_session = $_SESSION['token'];
$token_url = $_GET['token'];
// compare them
$comparison = $token_session == $token_url;
// set the token to a new value to ensure it is only used once.
$_SESSION['token'] = uniqid(md5(microtime()), true);
echo 'Token in session [' . $token_session .']<br>';
echo 'Token from URL [' . $token_url . ']<br><br>';
echo 'Are they equal? ' . ($comparison ? 'Yes' : 'No') . '.<br>';
if (!$comparison) {
die('Invalid token.');
} else {
echo 'Valid token.';
}
?>
-------------------------------------------------------------------------------
Token in session
[28da62665aa59f2aac9fb14fbb9af4fb48e7216117fba0.52467232]
Token from URL
[28da62665aa59f2aac9fb14fbb9af4fb48e7216117fba0.52467232]
Are they equal? Yes.
Valid token
4. Invalid Token processing
(a) Refresh testphp.php and it should say "Invalid token" because
there's a new token in the session.
(b) Press back button to get back to the php form, and resubmit it.
It might say "invalid token" if the php form has been cached on your
browser.
(c) create a html file with a fake form:
-------------------------------------------------------------------------------
<html>
<head></head>
<body>
<form id= "search_form" method="get" action="testphp.php">
<input type="hidden" name="token" value="blue" />
<input type="text" name="name" value="" maxlength="256"
size="50" /
>
<input type="submit" value="Search" />
</form>
</body>
</html>
-------------------------------------------------------------------------------
This should say "invalid token"
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Maps API" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/Google-Maps-API?hl=en
-~----------~----~----~----~------~----~------~--~---
