[Zey]

Hello,

I am exploring your framework and it shows that you have put a lot of work into it. Thank you for making it available Open Source.

However there are some security issues.

First, it is possible for anyone who knows the name and email of a user to spoof a comment by changing the value (even hidden or disabled) in browser dev tools, and the name and email in the POST will be used regardless of what was set for $cmtx_name and $cmtx_email in the php backend.

To overcome this i am trying to access SESSION values to check against in the submit() function in /frontend/controller/main/form.php but the SESSION is not available. It is available in the index() function when page loads, but not through ajax in the submit() function.

Am i missing something here ? What do you recommend ?

Thank you.

[Steven]

[Zey]

Hello,

The output for this var_dump is:

- for regular (logged-in) users:
array(0) {} 

- for admin:
array(6) {
  ["cmtx_admin_id"]=>
  string(1) "X"
  ["cmtx_username"]=>
  string(12) "X"
  ["cmtx_csrf_key"]=>
  string(20) "X"
  ["cmtx_user_agent"]=>
  string(114) "X"
  ["cmtx_user_lang"]=>
  string(23) "X"
  ["cmtx_user_ip"]=>
  string(15) "X"
}

How and where should $this->session->data  be populated with SESSION variables ?

[Steven]

Okay let me run some tests later today. I'll get back to you.

[Steven]

[Zey]

Hello,

I finally got it working by including my own session management script at the top of frontend/index.php
The SESSION variables are already set there and i can then access them in the submit() function.

Thank you for the hints and quick reply.