1.02releasedFingerprint

Create a fingerprint of the hidden inputs for a given form.

Clone URLhttps://github.com/lewiswharf/fingerprint.git

Add as a submodulegit submodule add https://github.com/lewiswharf/fingerprint.git extensions/fingerprint --recursive

Compatibility

2.x.x2.1.x2.2.x2.3.x2.4.x2.5.x2.6.x2.7.0
NoNoNo1.02NoNoNoNo. Soon?

Readme

Fingerprint

Fingerprint allows you to create a fingerprint of the hidden inputs for a given form, ensuring that users do not change the values of the hidden inputs prior to submitting the form.

Usage

Fingerprint works with Symphony section events. Custom events that do not invoke the frontend delegate EventPreSaveFilter will not work and be ignored.

  1. Enable the extension.
  2. Set a long and random secret under Preferences.

If the fingerprint upon form submission fails to match the fingerprint created at page creation, the filter messages array will be populated and cause the event to fail.

<filter name="fingerprint" status="failed">Fingerprint does not match.</filter>

Note: hidden input values must be generated via XSLT. Hidden inputs added or changed with JavaScript will cause the event to fail.

Example Use Cases

Fingerprint allows you to do the following things without worrying about users altering values and tampering with a form:

  1. Calculate shopping cart prices/totals via XSLT and pass them as a hidden input to the payment processor.
  2. Use in conjunction with the Members extension to ensure users do not change their role or attempt to edit another entry.
  3. Use in conjunction with the Stripe extension to ensure information sent to Stripe is not altered by the user.

Version history

Requires Symphony 2.3

        - Small improvements
	        - Added `no-fingerprint` page type check to terminate fingerprint checking for page
	

Requires Symphony 2.3

        - Use HMAC instead of shal to create fingerprint.
	        - Changed behavior of fingerprint creation. Always create/check fingerprint, fall back to hash of secret in preferences.
	        - Cleaned up session name.
	

Requires Symphony 2.3

        - Initial release.