TYPO3\CMS\Core\FormProtection\AbstractFormProtection Class Reference

Inheritance diagram for TYPO3\CMS\Core\FormProtection\AbstractFormProtection:

Public Member Functions
	__destruct ()
	clean ()
	generateToken ($formName, $action='', $formInstanceName='')
	validateToken ($tokenId, $formName, $action='', $formInstanceName='')
	persistSessionToken ()

Protected Member Functions
	getSessionToken ()
	generateSessionToken ()
	createValidationErrorMessage ()
	retrieveSessionToken ()

Protected Attributes
	$validationFailedCallback
	$sessionToken

Detailed Description

This class provides protection against cross-site request forgery (XSRF/CSRF) for forms.

For documentation on how to use this class, please see the documentation of the corresponding subclasses

Definition at line 26 of file AbstractFormProtection.php.

Constructor & Destructor Documentation

__destruct()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::__destruct

(

)

Frees as much memory as possible.

Definition at line 54 of file AbstractFormProtection.php.

Member Function Documentation

clean()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::clean

(

)

Deletes the session token and persists the (empty) token.

This function is intended to be called when a user logs on or off.

Returns

void

Definition at line 66 of file AbstractFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\persistSessionToken().

createValidationErrorMessage()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::createValidationErrorMessage ( )

protected

Creates or displays an error message telling the user that the submitted form token is invalid.

Returns

void

Definition at line 134 of file AbstractFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\persistSessionToken(), and TYPO3\CMS\Core\FormProtection\AbstractFormProtection\retrieveSessionToken().

Referenced by TYPO3\CMS\Core\FormProtection\AbstractFormProtection\validateToken().

generateSessionToken()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::generateSessionToken ( )

protected

Generates the random token which is used in the hash for the form tokens.

Returns

string

Definition at line 123 of file AbstractFormProtection.php.

References TYPO3\CMS\Core\Utility\GeneralUtility\generateRandomBytes().

Referenced by TYPO3\CMS\Core\Tests\Unit\FormProtection\Fixtures\FormProtectionTesting\retrieveSessionToken(), TYPO3\CMS\Core\FormProtection\InstallToolFormProtection\retrieveSessionToken(), TYPO3\CMS\Core\FormProtection\FrontendFormProtection\retrieveSessionToken(), and TYPO3\CMS\Core\FormProtection\BackendFormProtection\retrieveSessionToken().

generateToken()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::generateToken	(		$formName,
			$action = '',
			$formInstanceName = ''
	)

Generates a token for a form by hashing the given parameters with the secret session token.

Calling this function two times with the same parameters will create the same valid token during one user session.

Parameters

string	$formName
string	$action
string	$formInstanceName

Returns

string the 32-character hex ID of the generated token

Exceptions

Definition at line 85 of file AbstractFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\getSessionToken(), and TYPO3\CMS\Core\Utility\GeneralUtility\hmac().

getSessionToken()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::getSessionToken ( )

protected

Returns

string

Definition at line 43 of file AbstractFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\$sessionToken, and TYPO3\CMS\Core\FormProtection\AbstractFormProtection\retrieveSessionToken().

Referenced by TYPO3\CMS\Core\FormProtection\AbstractFormProtection\generateToken(), and TYPO3\CMS\Core\FormProtection\AbstractFormProtection\validateToken().

persistSessionToken()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::persistSessionToken ( )

abstract

Saves the session token so that it can be used by a later incarnation of this class.

private

Returns

void

Referenced by TYPO3\CMS\Core\FormProtection\AbstractFormProtection\clean(), and TYPO3\CMS\Core\FormProtection\AbstractFormProtection\createValidationErrorMessage().

retrieveSessionToken()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::retrieveSessionToken ( )

abstractprotected

Retrieves the session token.

Returns

string

Referenced by TYPO3\CMS\Core\FormProtection\AbstractFormProtection\createValidationErrorMessage(), and TYPO3\CMS\Core\FormProtection\AbstractFormProtection\getSessionToken().

validateToken()

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::validateToken	(		$tokenId,
			$formName,
			$action = '',
			$formInstanceName = ''
	)

Checks whether the token $tokenId is valid in the form $formName with $formInstanceName.

Parameters

string	$tokenId
string	$formName
string	$action
string	$formInstanceName

Returns

bool

Definition at line 104 of file AbstractFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\createValidationErrorMessage(), TYPO3\CMS\Core\FormProtection\AbstractFormProtection\getSessionToken(), and TYPO3\CMS\Core\Utility\GeneralUtility\hmac().

Member Data Documentation

$sessionToken

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::$sessionToken

protected

Definition at line 38 of file AbstractFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\AbstractFormProtection\getSessionToken(), TYPO3\CMS\Core\FormProtection\InstallToolFormProtection\persistSessionToken(), TYPO3\CMS\Core\FormProtection\FrontendFormProtection\retrieveSessionToken(), TYPO3\CMS\Core\FormProtection\BackendFormProtection\retrieveSessionToken(), and TYPO3\CMS\Core\FormProtection\BackendFormProtection\setSessionTokenFromRegistry().

$validationFailedCallback

TYPO3\CMS\Core\FormProtection\AbstractFormProtection::$validationFailedCallback

protected

Definition at line 31 of file AbstractFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\FrontendFormProtection\__construct(), and TYPO3\CMS\Core\FormProtection\BackendFormProtection\__construct().