How can I prevent fake registration bots without using some annoying capture? Is there a way?
Also to help prevent against fake http requests / form spoofs is this an acceptable method?
my genToken method in my user class
Code
public function genToken(){
$token = md5(uniqid(mt_rand()), false);
$_SESSION["token"] = $token;
return $token;
}
Login.php (basics)
Code
<?php
if(isset($_SESSION["token"])){
$token = $_SESSION["token"];
}else{
$token = $user->genToken();
}
?>
<form method="post" action="include/site/login.php">
<input type="hidden" id="token" name="token" value="<?php echo($token); ?>" autocomplete="off">
</form>
Then when the form submits I check for this token value and compare it with current session token and do what's needed.
(this might be absolutely retarded that's why I'm asking for advice so don't come with some elitist circle jerk attitude please)
Thanks for reading!
##################
Another quick question about session hijacking. This is my user class construct method. Is this okay to do?
Code
function __construct(){
/* Session hijack protect*/
if(!isset($_SESSION['last_ip'])) {
$_SESSION['last_ip'] = $_SERVER['REMOTE_ADDR'];
}
if($_SESSION['last_ip'] !== $_SERVER['REMOTE_ADDR']) {
/* Clear the SESSION */
$_SESSION = array();
/* Destroy the SESSION */
session_unset();
session_destroy();
}
}
e/ just read title fml ..
This post was edited by Atonement on Jul 31 2012 03:55am