Hello again, At step 1:
>In the "Session" section, verify it says "Session Support: Enabled" It is enabled. >In the list of directives look at "session.auto_start". If this is "Off", you will require session_start(); at the start of your php pages. It is off but I recently did add the session_start() back to the beginning of my PHP page and still had this current problem. In step 2, you said >"and view the source to ensure it contains the token (and maybe php session)" I'm not sure how to do that. I know how to view the source of web pages: View>Page source in Firefox, it just displays the PHP as it was authored. Next I went on to step 3. Valid Token processing and when I click the submit button I get: Token in session [] Token from URL [] Are they equal? No. Invalid token. ------------------------------------------------------------------ Upon a reload I get: Token in session [13c713c205bac341ccb02c4533560c3948e8470b135580.07243695] Token from URL [] Are they equal? No. Invalid token [] Here is the current page (IE is in quirks but FF and Chrome displayed it ok): http://www.dockhawk.com/html.html I haven't moved on to step 4 and created a fake form yet. I'll keep working at this. On Oct 4, 4:13 am, Lan Mind <[EMAIL PROTECTED]> wrote: > Thank you William, > > It will take me a few days to try this because of work, but this I > will do : ) > > On Oct 4, 1:29 am, William <[EMAIL PROTECTED]> wrote: > > > the technique seems to work on my PHP 4 server. Try the following > > procedure. > > > 1. Verify PHP Configuration > > > make a simple php page that gets information about your server. If > > you are worried about security delete this page after you've used it!! > > ------------------------------------------------------------------------------- > > <?php phpinfo() ?> > > ------------------------------------------------------------------------------- > > > In the "Session" section, verify it says "Session Support: Enabled" > > > In the list of directives look at "session.auto_start". If this is > > "Off", you will require session_start(); at the start of your php > > pages. > > > 2. Token Creation > > > create a php form > > ------------------------------------------------------------------------------- > > <?php > > session_start(); > > $_SESSION['token'] = uniqid(md5(microtime()), true); > > ?> > > <html> > > <head></head> > > <body> > > <form id= "search_form" method="get" action="testphp.php"> > > <input type="hidden" name="token" value="<?php echo > > $_SESSION['token'] ?>" /> > > <input type="text" name="name" value="" > > maxlength="256" size="50" / > > > <input type="submit" value="Search" /> > > </form> > > </body> > > </html> > > ------------------------------------------------------------------------------- > > > and view the source to ensure it contains the token (and maybe php > > session) > > > <input type="hidden" name="PHPSESSID" > > value="8c253b566571cb8c47e19c2037470878" /> > > <input type="hidden" name="token" > > value="28da62665aa59f2aac9fb14fbb9af4fb48e7216117fba0.52467232" /> > > > 3. Valid Token processing > > > create testphp.php > > ------------------------------------------------------------------------------- > > <?php > > > session_start(); > > > // get token variables > > $token_session = $_SESSION['token']; > > $token_url = $_GET['token']; > > > // compare them > > $comparison = $token_session == $token_url; > > > // set the token to a new value to ensure it is only used once. > > > $_SESSION['token'] = uniqid(md5(microtime()), true); > > > echo 'Token in session [' . $token_session .']<br>'; > > echo 'Token from URL [' . $token_url . ']<br><br>'; > > echo 'Are they equal? ' . ($comparison ? 'Yes' : 'No') . '.<br>'; > > > if (!$comparison) { > > die('Invalid token.');} else { > > > echo 'Valid token.'; > > > } > > > ?> > > ------------------------------------------------------------------------------- > > > Token in session > > [28da62665aa59f2aac9fb14fbb9af4fb48e7216117fba0.52467232] > > Token from URL > > [28da62665aa59f2aac9fb14fbb9af4fb48e7216117fba0.52467232] > > > Are they equal? Yes. > > Valid token > > > 4. Invalid Token processing > > > (a) Refresh testphp.php and it should say "Invalid token" because > > there's a new token in the session. > > > (b) Press back button to get back to the php form, and resubmit it. > > It might say "invalid token" if the php form has been cached on your > > browser. > > > (c) create a html file with a fake form: > > ------------------------------------------------------------------------------- > > > <html> > > <head></head> > > <body> > > <form id= "search_form" method="get" action="testphp.php"> > > <input type="hidden" name="token" value="blue" /> > > <input type="text" name="name" value="" > > maxlength="256" size="50" / > > > <input type="submit" value="Search" /> > > </form> > > </body> > > </html> > > ------------------------------------------------------------------------------- > > > This should say "invalid token" --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Maps API" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Maps-API?hl=en -~----------~----~----~----~------~----~------~--~---
