XSRF Prevention

To fight XSRF (Cross Site Request Forgery), we need to add a unique token for each logged in user for each session.

qE automatically add Anti XSRF (AXSRF) Token to each form, but only if the form is displayed using flush_tpl () function.

function AXSRF_init ()

To init AXSRF token for each user for each session. You don't normally need this, as qE automatically run this everytime the user logged in.

function AXSRF_value ()

Return current AXSRF token for current user.

function AXSRF_check ($field = 'AXSRF_token')

Check user submitted AXSRF token against stored AXSRF token. The script will automatically ceased the process if the token doesn't match. It will automatically check for POST & GET form method.

$field = the field name.

Example 1. test.tpl

<h1>Welcome to test page!</h1>
<form name="myform" action="test.php" method="post">
    <input type="hidden" name="cmd" value="process" />
    <p>Your name: <input type="text" name="name" /></p>
    <p><input type="submit" /></p>


require './includes/user_init.php';
$cmd = post_param ('cmd');

switch ($cmd)
case 'process':
$name = post_param ('name');

// check the AXSRF token
axsrf_check ('AXSRF_token');
msg_die ('echo', 'Your name is '.$name);

$tpl = load_tpl ('test.tpl');
$txt['main_body'] = quick_tpl ($tpl, $txt);
flush_tpl ();

Notes! You have to be logged in to try this example, as AXSRF token only generated if you are logged in, otherwise it will always display "Invalid token id".

Posted On: Aug-26-2010 @ 07:00am
Last Updated: Jan-01-1970 @ 07:00am

There is no comment. Why not be the first?

More Comments/Post Your Own