I'm trying to write an acceptance form (cookie based) to deny/allow access to a website I am working on; I am not a security expert by any means, so I need some tips on how to make my form submission more secure, and how to store the original page that the user requested so they can be redirected to the proper page after acceptance.
Here is the basic script I have worked up:
<?php
if(isset($_POST['accept'])) {
setcookie ('accept', '1');
header('Location: http://www.the_page_that_was_requested');
exit();
} elseif(isset($_POST['decline'])) {
setcookie('accept', '0');
exit();
}
?>
and the form:
<form action='' method ='post'>
<ul>
<li> <input type= 'radio' name = 'accept' value = 'accept' /> I accept </li>
<li> <input type= 'radio' name = 'decline' value = 'decline' /> I decline </li>
<li> <input type = 'submit' value = 'Submit' name = 'submit' /> </li>
</ul>
I might not have been clear enough w/my first post:
The site I want to use this for is a webcomic hosted on WP. The comic has "mature" content (violence, language, and I only wanted to use the cookie as a mechanism for the reader to "agree" to the fact that they are going to be viewing such content. Yes, I considered using $_SESSION to do this, but in this case, if someone is willing to "forge" their willingness to view such content, I could care less if they have access to the cookie.
As for the security conerns, I just want to make sure my form is secure, and not opening my site up to some sort of easy exploit.
Any sensitive information should never be stored in a cookie, including security/permission flags.
Instead of cookies, take a look at sessions, which do not store the data on the client side (and thus outside the reach of manipulating hands). This isn't completely secure in itself, but that is a completely different discussion.
Use sessions instead. Session information is stored on the web server and not on the local client.
<?php
sessions_start();
if(isset($_POST['accept'])) {
$_SESSION['accept'] = TRUE;
}
As far as the referrer, HTTP_REFERER is not preserved over SSL (which is something you should be doing if your form is collecting sensitive information).
If you're over SSL, you could do something like this:
A page links to your form:<a href="myform.php?r=<?=urlencode("http://your.url")?>">My form</a>
Your form adds a hidden input with the value of r:<input type="hidden" name="r" value="<?=$_GET['r']?>" />
If you're not over SSL (not recommended), you could do something like this:
HTTP_REFERER:<input type="hidden" name="r" value="<?=urlencode($_SERVER['HTTP_REFERER'])?>" />Either way, your POST script will use that POST'ed value of r to redirect:header("Location: ".urldecode($_POST['r']));
You then can check the session variable anywhere else on any other page within your domain:
<?php
session_start();
if($_SESSION['accept'] == TRUE) {
//they have access
}
?>