Hidden Form Fields
Hidden Form FieldsA hidden (not presented to the user by a browser) entry in a HTML form. Example:
<input type="hidden" name="session_id" value="12345">The hidden value is send back to the server when the form is submitted as if the user did enter the value.
Such hidden values are often used to pass session information.
A common security problem in form processing is to to assume that these fields are truly invisible to the end user, and to place hidden information in the form that should be kept on the server and referenced by a session key.
Couldn't I forge a session key? Couldn't I just keep using different session keys?
You can try.
Clearly, but are there any standard protections on session keys? Maybe some sort of encoding i guess.
A session key (whether delivered via HiddenFormFields or cookie, is typically made large enough to resist BruteForce attacks, cryptographically random enough to avoid related-key attacks, and is either timed out or changed per page to avoid ReplayAttack?s. Naturally, some people aren't as careful as they should be, but these are well-known practices.
Session keys and form field values can get out of sync, so one has to be careful using them in parellel. Generally there is only one of a given session variable, but it is possible for a user to have several instances of a given form open or hit the evil Back button. The server cannot easily know about such situations.
If you really need security, you can always encrypt and/or sign the hidden data. The problem with this approach is that you need additional logic in your application, since the web-frameworks don't handle this for you.
EditText of this page
(last edited August 25, 2005)
or FindPage with title or text search