You are here: C97net • 5.09 Security Functions
qE & XSRF Prevention
To fight XSRF (Cross Site Request Forgery), we need to add a unique token for each logged in user for each session.
qE automatically add Anti XSRF (AXSRF) Token to each form, but only if the form is displayed using flush_tpl () function.
function AXSRF_init ()
To init AXSRF token for each user for each session. You don't normally need this, as qE automatically run this everytime the user logged in.
function AXSRF_value ()
Return current AXSRF token for current user.
function AXSRF_check ($field = 'AXSRF_token')
Check user submitted AXSRF token against stored AXSRF token. The script will automatically ceased the process if the token doesn't match. It will automatically check for POST & GET form method.
$field = the field name.
Example 1. test.tpl
<h1>Welcome to test page!</h1>
<form name="myform" action="test.php" method="post">
<input type="hidden" name="cmd" value="process" />
<p>Your name: <input type="text" name="name" /></p>
<p><input type="submit" /></p>
</form>
test.php
<?php
require './includes/user_init.php';
$cmd = post_param ('cmd');
switch ($cmd)
{
case 'process':
$name = post_param ('name');
// check the AXSRF token
axsrf_check ('AXSRF_token');
msg_die ('echo', 'Your name is '.$name);
break;
default:
$tpl = load_tpl ('test.tpl');
$txt['main_body'] = quick_tpl ($tpl, $txt);
flush_tpl ();
break;
}
?>
Notes! You have to be logged in to try this example, as AXSRF token only generated if you are logged in, otherwise it will always display "Invalid token id".
There is no comment. Why not be the first?
