We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Significane of hidden XID field

July 24, 2008 6:46pm

Subscribe [2]

  • #1 / Jul 24, 2008 6:46pm

    stevefink

    136 posts

    Hi all,

    I’ve been taking a peek into how the EE engineers have been ensuring form submissions are ‘secure’ in the sense of anti brute force attacks, replay attacks and the like.  With that said, it is typical of EE of embed a hidden field named ‘XID’ to help take preventive measures against these verticals.

    I suppose my question is, is there any public documentation describing the thought process in the purpose of the hidden XID field—and what exactly it does to help make the life of a perpetrator slightly more difficult? 

    If not, I’ll stop being lazy and continue reading the source code. 😊

    Thanks all!

  • #2 / Jul 24, 2008 6:57pm

    Ingmar

    29245 posts

    It makes sure that the same forum is not submitted twice, and that, in fact, the information is submitted from a regular, EE-created form, and not some spammer. EE creates that unique ID, keeps track of them, and only will accept data from a form that has an ID EE created. Makes sense?

  • #3 / Aug 05, 2008 8:07pm

    stevefink

    136 posts

    Hi Ingmar!

    Thank you kindly for the response.  That makes perfect sense, finally had a chance to go through the code and see how it works underneath the hood.

    Thanks again. 😊

  • #4 / Aug 06, 2008 2:22am

    Ingmar

    29245 posts

    My pleasure, I’m sure 😊

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register