TYPO3
7.6
|
Public Member Functions | |
persistSessionToken () | |
Public Member Functions inherited from AbstractFormProtection | |
__destruct () | |
clean () | |
generateToken ($formName, $action= '', $formInstanceName= '') | |
validateToken ($tokenId, $formName, $action= '', $formInstanceName= '') | |
persistSessionToken () | |
Protected Member Functions | |
retrieveSessionToken () | |
Protected Member Functions inherited from AbstractFormProtection | |
getSessionToken () | |
generateSessionToken () | |
createValidationErrorMessage () | |
retrieveSessionToken () | |
Additional Inherited Members | |
Protected Attributes inherited from AbstractFormProtection | |
$validationFailedCallback | |
$sessionToken | |
This class provides protection against cross-site request forgery (XSRF/CSRF) in the install tool.
How to use this in the install tool:
For each form in the install tool (or link that changes some data), create a token and insert is as a hidden form element. The name of the form element does not matter; you only need it to get the form token for verifying it.
$formToken = $this->formProtection->generateToken( 'installToolPassword', 'change' ); then puts the generated form token in a hidden field in the template
The three parameters $formName, $action and $formInstanceName can be arbitrary strings, but they should make the form token as specific as possible. For different forms (e.g. the password change and editing a the configuration), those values should be different.
When processing the data that has been submitted by the form, you can check that the form token is valid like this:
if ($dataHasBeenSubmitted && $this->formProtection()->validateToken( $_POST['formToken'], 'installToolPassword', 'change' ) { processes the data } else { no need to do anything here as the install tool form protection will create an error message for an invalid token }
Install Tool form protection
Definition at line 59 of file InstallToolFormProtection.php.
persistSessionToken | ( | ) |
Saves the tokens so that they can be used by a later incarnation of this class.
Definition at line 82 of file InstallToolFormProtection.php.
References AbstractFormProtection\$sessionToken.
Referenced by InstallToolFormProtection\retrieveSessionToken().
|
protected |
Retrieves or generates the session token.
Definition at line 66 of file InstallToolFormProtection.php.
References AbstractFormProtection\generateSessionToken(), and InstallToolFormProtection\persistSessionToken().