One of my very first projects that actually made it to real users was Skivsamlingen, developed in the dawn of my PHP days. Skivsamlingen means The Record Collection, and is not surprisingly a web application where users can list all their records.

The size of the target group has admittedly decreased somewhat since the era of iTunes, Spotify and Grooveshark, among others, begun, but there are still active users on the site. These users are the reason I felt I had to clear my conscience for barely working on the site for many years. Possible solutions are to make time for the site, take it down, or simply make other people work on it.

About a month ago I wrote a post on how to protect your forms from double posting and CSRF attacks using nonce words in CodeIgniter. I realized pretty soon though that the code I posted wasn’t as smooth or, in fact, as functional as it should be. So to save my own ass I though I should share this update with you guys.

I would like to put this in a less shameful way, but the fact is the library didn’t do what it was supposed to do. On every page refresh a new nonce was created, which indeed hindered an attempt to simply press the back button and resubmit. Problem was that if you submitted yet another time after the error message about the invalid nonce (well, you probably should word it differently to the end user) was displayed, the nonce passed validation.

Most websites where authentication is required to perform certain actions have the option of remembering your credentials. Convenient, indeed, but bypassing the user input phase of the login means some other type of identifier needs to be stored locally which could pose a severe security risk.

My first attempt at this - and please remember this was a long, looong time ago, in a simpler time - was to simply store the username and password in a cookie. Yes, that’s right, store the user’s credentials in plain text. The security concerns are obvious, a simple cookie theft would give the attacker everything he needs without having to think twice, and as if that wasn’t enough there is a high risk that the same credentials can be used to access other sites since very few people actually use different passwords for every site they register on. Luckily this site never reached an audience..

UPDATE: A new and improved version of this extension can be found in my post Form protection revisited!

In a web application for record collectors I wrote a few years ago I recently had to deal with users who added the same record hundreds of times. I did use the PRG, or Post/Redirect/Get, pattern which means that you always redirect the user after a post request so that a simple reload won’t resubmit the same data. This prevents users from mistakenly resubmitting, but by pressing the back-button the problem re-emerges. The solution is called a nonce.