FrontendFormProtection extends AbstractFormProtection

This class provides protection against cross-site request forgery (XSRF/CSRF) for actions in the frontend that change data.

How to use:

For each form (or link that changes some data), create a token and insert is as a hidden form element or use it as GET argument. The name of the form element does not matter; you only need it to get the form token for verifying it.

$formToken = TYPO3\CMS\Core\FormProtection\FormProtectionFactory::get()
->generateToken(
'User setup', 'edit'
);
$this->content .= '';

The three parameters $formName, $action and $formInstanceName can be arbitrary strings, but they should make the form token as specific as possible. For different forms (e.g. User setup and editing a news record) or different records (with different UIDs) from the same table, those values should be different.

For editing a news record, the call could look like this:

$formToken = \TYPO3\CMS\Core\FormProtection\FormProtectionFactory::get()
->getFormProtection()->generateToken(
'news', 'edit', $uid
);

When processing the data that has been submitted by the form, you can check that the form token is valid like this:

if ($dataHasBeenSubmitted && \TYPO3\CMS\Core\FormProtection\FormProtectionFactory::get()
->validateToken(
\TYPO3\CMS\Core\Utility\GeneralUtility::_POST('formToken'),
'User setup', 'edit
)
) {
Processes the data.
} else {
Create a flash message for the invalid token or just discard this request.
}

Table of Contents

Properties

$frontendUser  : FrontendUserAuthentication
Keeps the instance of the user which existed during creation of the object.
$sessionToken  : string|null
The session token which is used to be hashed during token generation.
$validationFailedCallback  : Closure|null

Methods

__construct()  : mixed
Only allow construction if we have an authorized frontend session
__wakeup()  : mixed
Deny object deserialization.
clean()  : mixed
Deletes the session token and persists the (empty) token.
generateToken()  : string
Generates a token for a form by hashing the given parameters with the secret session token.
persistSessionToken()  : mixed
Saves the tokens so that they can be used by a later incarnation of this class.
validateToken()  : bool
Checks whether the token $tokenId is valid in the form $formName with $formInstanceName.
createValidationErrorMessage()  : mixed
Creates or displays an error message telling the user that the submitted form token is invalid.
generateSessionToken()  : string
Generates the random token which is used in the hash for the form tokens.
getSessionToken()  : string
isAuthorizedFrontendSession()  : bool
Checks if a user is logged in and the session is active.
retrieveSessionToken()  : string
Retrieves the saved session token or generates a new one.

Properties

$sessionToken

The session token which is used to be hashed during token generation.

protected string|null $sessionToken

$validationFailedCallback

protected Closure|null $validationFailedCallback

Methods

__wakeup()

Deny object deserialization.

public __wakeup() : mixed

clean()

Deletes the session token and persists the (empty) token.

public clean() : mixed

This function is intended to be called when a user logs on or off.

generateToken()

Generates a token for a form by hashing the given parameters with the secret session token.

public generateToken(string $formName[, string $action = '' ][, string $formInstanceName = '' ]) : string

Calling this function two times with the same parameters will create the same valid token during one user session.

Parameters
$formName : string
$action : string = ''
$formInstanceName : string = ''
Tags
throws
InvalidArgumentException
Return values
string

the 32-character hex ID of the generated token

persistSessionToken()

Saves the tokens so that they can be used by a later incarnation of this class.

public persistSessionToken() : mixed
Internal

validateToken()

Checks whether the token $tokenId is valid in the form $formName with $formInstanceName.

public validateToken(string $tokenId, string $formName[, string $action = '' ][, string $formInstanceName = '' ]) : bool
Parameters
$tokenId : string
$formName : string
$action : string = ''
$formInstanceName : string = ''
Return values
bool

createValidationErrorMessage()

Creates or displays an error message telling the user that the submitted form token is invalid.

protected createValidationErrorMessage() : mixed

generateSessionToken()

Generates the random token which is used in the hash for the form tokens.

protected generateSessionToken() : string
Return values
string

getSessionToken()

protected getSessionToken() : string
Return values
string

isAuthorizedFrontendSession()

Checks if a user is logged in and the session is active.

protected isAuthorizedFrontendSession() : bool
Return values
bool

retrieveSessionToken()

Retrieves the saved session token or generates a new one.

protected retrieveSessionToken() : string
Return values
string

        
On this page

Search results