Hi,
Sorry I'm new to using Tokens, so having difficulty understanding it.
Say I have:
where:
$token = md5(sha1($salt.$ip).sha1($salt.$formName));
When form is submitted following is set:
However, if after first submission username or password is incorrect and the form is resubmitted with correct username or password a new $token would be generated. In that case how can I test:
if($_SESSION['token'] == $token){
//ok
}else{ //not OK
The chances are that the new token generated will never be equal to $_SESSION['token'] and the above condition will never be met. Have I got this wrong or are there extra steps that need to be taken to avoid what seems to be an endless condition.
Sorry I'm new to using Tokens, so having difficulty understanding it.
Say I have:
Code:
<form action="" method="POST">
<P>
<label for="username">Username</label>
<input type="text" name="username" id="username"
autocomplete="off">
</P>
<P>
<label for="password">Password</label>
<input type="password" name="password" id="password"
autocomplete="off">
</P>
<P>
<input type="hidden" name="token" value="<?php echo $token ?>" />
<input type="submit" value="LOG IN">
</P>
</form>
$token = md5(sha1($salt.$ip).sha1($salt.$formName));
When form is submitted following is set:
Code:
if(empty($_SESSION['token']))
{ $_SESSION['token'] = $token;
}
if($_SESSION['token'] == $token){
//ok
}else{ //not OK
The chances are that the new token generated will never be equal to $_SESSION['token'] and the above condition will never be met. Have I got this wrong or are there extra steps that need to be taken to avoid what seems to be an endless condition.