‪TYPO3CMS  11.5
TYPO3\CMS\Core\FormProtection\InstallToolFormProtection Class Reference
Inheritance diagram for TYPO3\CMS\Core\FormProtection\InstallToolFormProtection:
TYPO3\CMS\Core\FormProtection\AbstractFormProtection TYPO3\CMS\Core\Security\BlockSerializationTrait

Public Member Functions

 persistSessionToken ()
- ‪Public Member Functions inherited from ‪TYPO3\CMS\Core\FormProtection\AbstractFormProtection
 clean ()
string generateToken ($formName, $action='', $formInstanceName='')
bool validateToken ($tokenId, $formName, $action='', $formInstanceName='')
- ‪Public Member Functions inherited from ‪TYPO3\CMS\Core\Security\BlockSerializationTrait
 __wakeup ()

Protected Member Functions

 retrieveSessionToken ()
- ‪Protected Member Functions inherited from ‪TYPO3\CMS\Core\FormProtection\AbstractFormProtection
string getSessionToken ()
string generateSessionToken ()
 createValidationErrorMessage ()

Additional Inherited Members

- ‪Protected Attributes inherited from ‪TYPO3\CMS\Core\FormProtection\AbstractFormProtection
Closure null $validationFailedCallback
string null $sessionToken

Detailed Description

This class provides protection against cross-site request forgery (XSRF/CSRF) in the install tool.

How to use this in the install tool:

For each form in the install tool (or link that changes some data), create a token and insert is as a hidden form element. The name of the form element does not matter; you only need it to get the form token for verifying it.

$formToken = $this->formProtection->generateToken(
'installToolPassword', 'change'
then puts the generated form token in a hidden field in the template

The three parameters $formName, $action and $formInstanceName can be arbitrary strings, but they should make the form token as specific as possible. For different forms (e.g. the password change and editing a the configuration), those values should be different.

When processing the data that has been submitted by the form, you can check that the form token is valid like this:

if ($dataHasBeenSubmitted && $this->formProtection()->validateToken(
) {
processes the data
} else {
no need to do anything here as the install tool form protection will
create an error message for an invalid token

Install Tool form protection

Definition at line 60 of file InstallToolFormProtection.php.

Member Function Documentation

◆ persistSessionToken()

TYPO3\CMS\Core\FormProtection\InstallToolFormProtection::persistSessionToken ( )

Saves the tokens so that they can be used by a later incarnation of this class.

Reimplemented from TYPO3\CMS\Core\FormProtection\AbstractFormProtection.

Definition at line 80 of file InstallToolFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\$sessionToken.

Referenced by TYPO3\CMS\Core\FormProtection\InstallToolFormProtection\retrieveSessionToken().

◆ retrieveSessionToken()

TYPO3\CMS\Core\FormProtection\InstallToolFormProtection::retrieveSessionToken ( )