|
Stud.IP
5.4
|
|
Stud.IP
5.4
|
Static Public Member Functions | |
| static | verifyUnsafeRequest () |
| static | verifySecurityToken () |
| static | verifyRequest () |
| static | token () |
| static | tokenTag (array $attributes=[]) |
Data Fields | |
| const | TOKEN = 'security_token' |
| const | AJAX_TOKEN = 'HTTP_X_CSRF_TOKEN' |
To protect Stud.IP from forged request from other sites a security token is generated and stored in the session and all forms (or rather POST request) have to contain that token which is then compared on the server side to verify the authenticity of the request. GET request are not checked as these are assumed to be idempotent anyway.
If a forgery is detected, an InvalidSecurityTokenException is thrown and a log entry is recorded in the error log.
The (form or request) parameter is named "security token". If you are authoring an HTML form, you have to include this as an input[=hidden] element. This is easily done by calling:
Checking the token is implicitly done when calling page_open in file lib/phplib/page4.inc
|
static |
Returns the token stored in the session generating it first if required.
| SessionRequiredException | there is no session to store the token in |
|
static |
|
static |
This checks the request and returns either true or false. It is implicitly called by CSRFProtection::verifySecurityToken() and it should never be needed to call this.
|
static |
This checks the request and throws an InvalidSecurityTokenException if fails to verify its authenticity.
| InvalidSecurityTokenException | request is invalid |
|
static |
This checks the request and throws an InvalidSecurityTokenException if fails to verify its authenticity.
| MethodNotAllowedException | The request has to be unsafe in terms of RFC 2616. |
| InvalidSecurityTokenException | The request is invalid as the security token does not match. |
| const AJAX_TOKEN = 'HTTP_X_CSRF_TOKEN' |
| const TOKEN = 'security_token' |
The name of the parameter.
1.8.5 
