[drupal-devel] Seems like form validation might fail with some users
Some ISP's, like AOL, change a user's IP address from one page view to the next. It seems like this might cause a problem for the new forms API which uses the IP address to create a token used to validate a form. The IP address collected from the user when used the form gets loaded could be different from the IP address seen when submitting it.
On Sun, Nov 06, 2005 at 01:54:20PM -0500, Steve Dondley wrote:
Some ISP's, like AOL, change a user's IP address from one page view to the next. It seems like this might cause a problem for the new forms API which uses the IP address to create a token used to validate a form. The IP address collected from the user when used the form gets loaded could be different from the IP address seen when submitting it.
I used AOL two years ago and I had a consistent IP throughout each session. And if inconsistent IPs do happen (as they did in my office a few months ago) the session handling gets very confused. -Neil
I just pulled these log entries from a site on my server. The IP changed with every single hit. This is a very lightly trafficked site so it's impossible many simultaneous AOL users were visiting the site. 205.188.116.5 - - [31/Oct/2005:15:52:47 -0500] "GET / HTTP/1.0" 200 4521 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.2) Gecko/20020924 AOL/7.0" 0 www.wmjwj.org 205.188.117.12 - - [31/Oct/2005:15:52:49 -0500] "GET /misc/drupal.css HTTP/1.0" 200 9377 "http://wmjwj.or g/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.2) Gecko/20020924 AOL/7.0" 0 www.wmjwj.org 205.188.116.68 - - [31/Oct/2005:15:52:50 -0500] "GET /sites/wmjwj.org/modules/event/event.js HTTP/1.0" 20 0 717 "http://wmjwj.org/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.2) Gecko/20020924 AOL/7 .0" 0 www.wmjwj.org 205.188.116.72 - - [31/Oct/2005:15:52:50 -0500] "GET /sites/wmjwj.org/modules/event/event.css HTTP/1.0" 2 00 5382 "http://wmjwj.org/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.2) Gecko/20020924 AOL /7.0" 0 www.wmjwj.org 205.188.116.7 - - [31/Oct/2005:15:52:51 -0500] "GET /sites/wmjwj.org/themes/bluemarine_custom/style.css H TTP/1.0" 200 6006 "http://wmjwj.org/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.2) Gecko/20 020924 AOL/7.0" 0 www.wmjwj.org 205.188.117.71 - - [31/Oct/2005:15:52:52 -0500] "GET /misc/menu-leaf.png HTTP/1.0" 200 108 "http://wmjwj. org/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.2) Gecko/20020924 AOL/7.0" 0 www.wmjwj.org 205.188.116.72 - - [31/Oct/2005:15:52:52 -0500] "GET /misc/menu-collapsed.png HTTP/1.1" 200 108 "http://w mjwj.org/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.2) Gecko/20020924 AOL/7.0" 0 www.wmjwj .org 205.188.116.13 - - [31/Oct/2005:15:52:52 -0500] "GET /sites/wmjwj.org/files/logo.jpg HTTP/1.0" 200 32875 "http://wmjwj.org/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.2) Gecko/20020924 AOL/7.0" 0 www.wmjwj.org On 11/6/05, neil@civicspacelabs.org <neil@civicspacelabs.org> wrote:
On Sun, Nov 06, 2005 at 01:54:20PM -0500, Steve Dondley wrote:
Some ISP's, like AOL, change a user's IP address from one page view to the next. It seems like this might cause a problem for the new forms API which uses the IP address to create a token used to validate a form. The IP address collected from the user when used the form gets loaded could be different from the IP address seen when submitting it.
I used AOL two years ago and I had a consistent IP throughout each session. And if inconsistent IPs do happen (as they did in my office a few months ago) the session handling gets very confused.
-Neil
-- Dondley Communications http://www.dondleycommunications.com Communicate or Die: American Labor Unions and the Internet http://www.communicateordie.com
I agree that this is a problem. I reported it against ecommerce sometime back, and suggested an alternative (using the session ID). http://drupal.org/node/35344 Now that this is a problem with all of Drupal (because of the new Form API?) it needs to be addressed more urgently. On 11/6/05, Steve Dondley <sdondley@gmail.com> wrote:
Some ISP's, like AOL, change a user's IP address from one page view to the next. It seems like this might cause a problem for the new forms API which uses the IP address to create a token used to validate a form. The IP address collected from the user when used the form gets loaded could be different from the IP address seen when submitting it.
Are there any reasons against using PHP's built-in session functions and the session ID for form validation? Konstantin
Now that this is a problem with all of Drupal (because of the new Form API?) it needs to be addressed more urgently.
No, because of the form token patch. I wanted to introduce IP checking into session.inc (/me adjusts his security labeled tinfoil hat) but I was voted down. So, there should be no IP checking anywhere. Regards NK
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06 Nov 2005, at 8:54 PM, Steve Dondley wrote:
Some ISP's, like AOL, change a user's IP address from one page view to the next. It seems like this might cause a problem for the new forms API which uses the IP address to create a token used to validate a form. The IP address collected from the user when used the form gets loaded could be different from the IP address seen when submitting it. That's hardly form api specific.
it's from a patch before form api hit. - -- Adrian Rossouw Drupal developer and Bryght Guy http://drupal.org | http://bryght.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFDbl8egegMqdGlkasRAn8CAJ4xRP0Au/OvvPVsn7oRgqVxNqJ/HwCgtX9z A8iKFi8FVOFfaCJr3G+6aJ4= =gsA/ -----END PGP SIGNATURE-----
I've replied to this a couple of times, but it's been blocked by the mailing list software. One last try... On Sun, 6 Nov 2005 13:54:20 -0500 Steve Dondley <sdondley@gmail.com> wrote:
Some ISP's, like AOL, change a user's IP address from one page view to the next. It seems like this might cause a problem for the new forms API which uses the IP address to create a token used to validate a form. The IP address collected from the user when used the form gets loaded could be different from the IP address seen when submitting it.
The form validation code was originally added in this thread: http://drupal.org/node/28420 (see #23 - #26) We discussed using the IP or the session_id, and I chose the IP at the time. If ISPs out there really change a user's IP with each page load (that seems awfully ugly to me, but whatever), then something needs to change in our code. Is there ever a time where the session_id may change from page to page (ie, what if cookies are disabled in the browser, and the server isn't configured to embed session ID's in the URL?) The attached patch is all it would take to switch from IP's to Session ID's. Alternatively you could just remove the IP/session_id and form validation would still offer protection from spammers. -Jeremy
At 6:09 PM -0500 6/11/05, Jeremy Andrews wrote:
Is there ever a time where the session_id may change from page to page (ie, what if cookies are disabled in the browser, and the server isn't configured to embed session ID's in the URL?)
I used to work on the PHPLIB project, and the user's session ID was always very stable and consistent. I never saw a support request about lost sessions that wasn't caused by a bad configuration of either browser or more usually the application. So I think that if the session ID has changed from when the form is shown to when it is submitted, that is a good enough reason to invalidate the submission. +1 to use session_id(). ...R.
On Nov 6, 2005, at 5:09 PM, Jeremy Andrews wrote:
We discussed using the IP or the session_id, and I chose the IP at the time. If ISPs out there really change a user's IP with each page load (that seems awfully ugly to me, but whatever), then something needs to change in our code.
Sticking a session to an IP creates more problems than it solves. See a similar discussion at http://drupal.org/node/19845 , which includes discussion and a few handy references. Allie Micka pajunas interactive, inc. http://www.pajunas.com scalable web hosting and open source strategies
participants (9)
-
Adrian Rossouw -
Allie Micka -
Jeremy Andrews -
Karoly Negyesi -
Khalid B -
Konstantin Käfer -
neil@civicspacelabs.org -
Richard Archer -
Steve Dondley