[Typo3-dev] security suggestion for tipafriend ext
Daniel Pötzinger
operation-lan at gmx.de
Wed Jun 9 19:39:31 CEST 2004
If it is Spamprotect enough to be sure the user used the tip-a-friend
formular one could secure it with an checksum.
My suggenstion:
I mean something like this:
$time=time();
$checksum=md5($time.$someextrakey);
(//the risk is the someextrakey which should be set in Temlate TS)
both $time and $checksum must be in the tipafriend formular (hidden field)
Bevor sending the mail, a function could check something like this:
if (strcmp ( $checksum, md5($time.$someextrakey) ) ) {
// no permission
}
elseif ( (time()-$time) > $timeout) {
//timeout
}
More security only with a dynamical calculating of the someextrakey and
remember the keys to ensure that the key could only be used one time...
(like TAN's)
More information about the TYPO3-dev
mailing list