Trying to understand how a token works

[waydown]

Hi,
Sorry I'm new to using Tokens, so having difficulty understanding it.
Say I have:

<form action="" method="POST">
<P>
  <label for="username">Username</label>
  <input type="text" name="username" id="username" 
autocomplete="off">
</P>
<P>
  <label for="password">Password</label>
  <input type="password" name="password" id="password" 
autocomplete="off">
</P>
<P>
  <input type="hidden" name="token" value="<?php echo $token ?>" />
  <input type="submit" value="LOG IN">
</P>
</form>

where:
$token = md5(sha1($salt.$ip).sha1($salt.$formName));
When form is submitted following is set:

if(empty($_SESSION['token']))
   { $_SESSION['token'] = $token;
   }

However, if after first submission username or password is incorrect and the form is resubmitted with correct username or password a new $token would be generated. In that case how can I test:
if($_SESSION['token'] == $token){
//ok
}else{ //not OK

The chances are that the new token generated will never be equal to $_SESSION['token'] and the above condition will never be met. Have I got this wrong or are there extra steps that need to be taken to avoid what seems to be an endless condition.

 

[ChrisHirst]

A token????

'token' in your supplied code is simply the name of the variable, and in the context of the code "token" is simply a hash code that is generated to identify that the form data is not being sent by a "posting bot", the data is ONLY accepted if there is a valid value for 'token'. When 'bots are being used they do not request the form (GET) before the form is submitted POSTed so the value for 'token' will be empty or a value that does not match the session variable value.

However, if after first submission username or password is incorrect

However:
The value of $token does not use the username when it is generated so how is it going to change??

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum