BackendFormProtection extends AbstractFormProtection

This class provides protection against cross-site request forgery (XSRF/CSRF) for forms in the BE.

How to use:

For each form in the BE (or link that changes some data), create a token and insert is as a hidden form element. The name of the form element does not matter; you only need it to get the form token for verifying it.

$formToken = TYPO3\CMS\Core\FormProtection\FormProtectionFactory::get()
->generateToken(
'BE user setup', 'edit'
);
$this->content .= '';

The three parameters $formName, $action and $formInstanceName can be arbitrary strings, but they should make the form token as specific as possible. For different forms (e.g. BE user setup and editing a tt_content record) or different records (with different UIDs) from the same table, those values should be different.

For editing a tt_content record, the call could look like this:

$formToken = \TYPO3\CMS\Core\FormProtection\FormProtectionFactory::get()
->getFormProtection()->generateToken(
'tt_content', 'edit', $uid
);

When processing the data that has been submitted by the form, you can check that the form token is valid like this:

if ($dataHasBeenSubmitted && TYPO3\CMS\Core\FormProtection\FormProtectionFactory::get()
->validateToken(
\TYPO3\CMS\Core\Utility\GeneralUtility::_POST('formToken'),
'BE user setup', 'edit
)
) {
processes the data
} else {
no need to do anything here as the BE form protection will create a
flash message for an invalid token
}

Table of Contents

Properties

$backendUser  : BackendUserAuthentication
Keeps the instance of the user which existed during creation of the object.
$registry  : Registry
Instance of the registry, which is used to permanently persist the session token so that it can be restored during re-login.
$sessionToken  : string|null
The session token which is used to be hashed during token generation.
$validationFailedCallback  : Closure|null

Methods

__construct()  : mixed
Only allow construction if we have an authorized backend session
__wakeup()  : mixed
Deny object deserialization.
clean()  : mixed
Deletes the session token and persists the (empty) token.
generateToken()  : string
Generates a token for a form by hashing the given parameters with the secret session token.
persistSessionToken()  : mixed
Saves the tokens so that they can be used by a later incarnation of this class.
removeSessionTokenFromRegistry()  : mixed
Removes the session token for the user from the registry.
setSessionTokenFromRegistry()  : string
Sets the session token for the user from the registry and returns it additionally.
storeSessionTokenInRegistry()  : mixed
Stores the session token in the registry to have it available during re-login of the user.
validateToken()  : bool
Checks whether the token $tokenId is valid in the form $formName with $formInstanceName.
createValidationErrorMessage()  : mixed
Creates or displays an error message telling the user that the submitted form token is invalid.
generateSessionToken()  : string
Generates the random token which is used in the hash for the form tokens.
getSessionToken()  : string
isAuthorizedBackendSession()  : bool
Checks if a user is logged in and the session is active.
retrieveSessionToken()  : string
Retrieves the saved session token or generates a new one.

Properties

$registry

Instance of the registry, which is used to permanently persist the session token so that it can be restored during re-login.

protected Registry $registry

$sessionToken

The session token which is used to be hashed during token generation.

protected string|null $sessionToken

$validationFailedCallback

protected Closure|null $validationFailedCallback

Methods

__wakeup()

Deny object deserialization.

public __wakeup() : mixed

clean()

Deletes the session token and persists the (empty) token.

public clean() : mixed

This function is intended to be called when a user logs on or off.

generateToken()

Generates a token for a form by hashing the given parameters with the secret session token.

public generateToken(string $formName[, string $action = '' ][, string $formInstanceName = '' ]) : string

Calling this function two times with the same parameters will create the same valid token during one user session.

Parameters
$formName : string
$action : string = ''
$formInstanceName : string = ''
Tags
throws
InvalidArgumentException
Return values
string

the 32-character hex ID of the generated token

persistSessionToken()

Saves the tokens so that they can be used by a later incarnation of this class.

public persistSessionToken() : mixed
Internal

removeSessionTokenFromRegistry()

Removes the session token for the user from the registry.

public removeSessionTokenFromRegistry() : mixed
Internal

setSessionTokenFromRegistry()

Sets the session token for the user from the registry and returns it additionally.

public setSessionTokenFromRegistry() : string
Internal
Tags
throws
UnexpectedValueException
Return values
string

storeSessionTokenInRegistry()

Stores the session token in the registry to have it available during re-login of the user.

public storeSessionTokenInRegistry() : mixed
Internal

validateToken()

Checks whether the token $tokenId is valid in the form $formName with $formInstanceName.

public validateToken(string $tokenId, string $formName[, string $action = '' ][, string $formInstanceName = '' ]) : bool
Parameters
$tokenId : string
$formName : string
$action : string = ''
$formInstanceName : string = ''
Return values
bool

createValidationErrorMessage()

Creates or displays an error message telling the user that the submitted form token is invalid.

protected createValidationErrorMessage() : mixed

generateSessionToken()

Generates the random token which is used in the hash for the form tokens.

protected generateSessionToken() : string
Return values
string

getSessionToken()

protected getSessionToken() : string
Return values
string

isAuthorizedBackendSession()

Checks if a user is logged in and the session is active.

protected isAuthorizedBackendSession() : bool
Return values
bool

retrieveSessionToken()

Retrieves the saved session token or generates a new one.

protected retrieveSessionToken() : string
Return values
string

        
On this page

Search results