Securing web forms

Protect publicly accessible web forms against so-called CSRF attacks (Cross Site Request Forgery) and "form spamming". These are programs that automatically send web forms to trigger unwanted actions, such as sending e-mails or filling databases with meaningless entries.

So-called Captchas are often used for protection, but they are usually not barrier-free. Here we present simple variants that you as a web author of the TU Chemnitz can use to protect your web forms.

Secured web forms in 3 steps

1. Initialize

In this step you include the PHP code and select a method. Important: Be sure to put this before the TUCAL function seite()!

<?php
require_once('php/secform.inc');
$secform = new tucal_secform(0);     # 0, 1, or 2
seite(__FILE__);

The following protection methods are currently implemented:

0 – invisible token
1 – token and time check - "invisible"
2 – token, time check and JavaScript checkbox: "I'm human" - visible, JavaScript required

Normally, method 1 should be sufficient. All variants also protect against CSRF attacks and prevent multiple submissions of the form.

2. Place secret in the form

Put the HTML code that the PHP function get_token() returns in your HTML form:

<form action="mod_secform.php" method="post" class="form-horizontal">
 ...
  <?php echo $secform->get_token(); ?> 
  <button type="submit" class="btn btn-default" style="margin:1em">Send</button>
   </div>
</form>

3. Checking in the form evaluation

Use the function check_token(min, max) to check the protection method. min, max are numerical values in seconds. In this time range human user should be able to fill the form. You can see the usage in the example:

<?php
  # Form evaluation
  # time for the user to fill in the form - here:
  # minimum 5 seconds, maximum 900 seconds = 15 minutes
  # use $secform->check_token(0, 0); to turn off the time check
  list($ok, $reason) = $secform->check_token(5, 900);
  if ($ok) {
      # general form evaluation
  } else {
      # output error, e.g. $reason, and/or simply display form again
      echo 'Error: ' . htmlspecialchars($reason);
  }

Examples

Method 0 – token: Code – What it looks like
Method 1 – token and time check – minimum 5 seconds: Code – What it looks like
Method 2 – token, time check and JavaScript checkbox: Code – What it looks like

Answers to frequently asked questions

Are these methods really secure?

No, absolutely secure variants for publicly accessible forms - and barrier-free ones at that - are unlikely to exist. However, the implemented methods require "human behavior" in a real web browser:

0 – The form must be loaded by the web browser before submission and cannot be submitted multiple times.
1 – The form must also be filled out and submitted in a certain amount of time.
2 – JavaScript must be evaluated (which is usually not the case with bots). The user must click exactly one of two checkboxes, one of which is not visible at all due to CSS.

Ultimately, practice must show whether we keep the "pests" away with these methods. As soon as these programmed automatons see through and circumvent our measures, the protection will be undermined. In that case, we will develop new measures.