‪TYPO3CMS  ‪main
TYPO3\CMS\Core\FormProtection\BackendFormProtection Class Reference
Inheritance diagram for TYPO3\CMS\Core\FormProtection\BackendFormProtection:
TYPO3\CMS\Core\FormProtection\AbstractFormProtection TYPO3\CMS\Core\Security\BlockSerializationTrait

Public Member Functions

 __construct (BackendUserAuthentication $backendUser, Registry $registry, ?\Closure $validationFailedCallback=null)
 persistSessionToken ()
string setSessionTokenFromRegistry ()
 storeSessionTokenInRegistry ()
 removeSessionTokenFromRegistry ()
- ‪Public Member Functions inherited from ‪TYPO3\CMS\Core\FormProtection\AbstractFormProtection
 clean ()
string generateToken ($formName, $action='', $formInstanceName='')
bool validateToken ($tokenId, $formName, $action='', $formInstanceName='')
- ‪Public Member Functions inherited from ‪TYPO3\CMS\Core\Security\BlockSerializationTrait
 __wakeup ()

Protected Member Functions

string retrieveSessionToken ()
bool isAuthorizedBackendSession ()
- ‪Protected Member Functions inherited from ‪TYPO3\CMS\Core\FormProtection\AbstractFormProtection
string getSessionToken ()
string generateSessionToken ()
 createValidationErrorMessage ()

Protected Attributes

BackendUserAuthentication $backendUser
Registry $registry
- ‪Protected Attributes inherited from ‪TYPO3\CMS\Core\FormProtection\AbstractFormProtection
Closure null $validationFailedCallback
string null $sessionToken

Detailed Description

This class provides protection against cross-site request forgery (XSRF/CSRF) for forms in the BE.

How to use:

For each form in the BE (or link that changes some data), create a token and insert is as a hidden form element. The name of the form element does not matter; you only need it to get the form token for verifying it.

$formToken = GeneralUtility::makeInstance(FormProtectionFactory::class)->createFromType('backend')
'BE user setup', 'edit'
$this->content .= '<input type="hidden" name="formToken" value="' .
$formToken . '" >';

The three parameters $formName, $action and $formInstanceName can be arbitrary strings, but they should make the form token as specific as possible. For different forms (e.g. BE user setup and editing a tt_content record) or different records (with different UIDs) from the same table, those values should be different.

For editing a tt_content record, the call could look like this:

$formToken = GeneralUtility::makeInstance(FormProtectionFactory::class)->createFromType('backend')
'tt_content', 'edit', $uid

When processing the data that has been submitted by the form, you can check that the form token is valid like this:

if ($dataHasBeenSubmitted && GeneralUtility::makeInstance(FormProtectionFactory::class)->createFromType('backend')
'BE user setup', 'edit
) {
processes the data
} else {
no need to do anything here as the BE form protection will create a
flash message for an invalid token

Definition at line 74 of file BackendFormProtection.php.

Constructor & Destructor Documentation

◆ __construct()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::__construct ( BackendUserAuthentication  $backendUser,
Registry  $registry,
?\Closure  $validationFailedCallback = null 

Member Function Documentation

◆ isAuthorizedBackendSession()

bool TYPO3\CMS\Core\FormProtection\BackendFormProtection::isAuthorizedBackendSession ( )

Checks if a user is logged in and the session is active.


Definition at line 174 of file BackendFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\BackendFormProtection\__construct().

◆ persistSessionToken()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::persistSessionToken ( )

Saves the tokens so that they can be used by a later incarnation of this class.

Reimplemented from TYPO3\CMS\Core\FormProtection\AbstractFormProtection.

Definition at line 126 of file BackendFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\BackendFormProtection\retrieveSessionToken().

◆ removeSessionTokenFromRegistry()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::removeSessionTokenFromRegistry ( )

Removes the session token for the user from the registry.

Definition at line 164 of file BackendFormProtection.php.

◆ retrieveSessionToken()

string TYPO3\CMS\Core\FormProtection\BackendFormProtection::retrieveSessionToken ( )

◆ setSessionTokenFromRegistry()

string TYPO3\CMS\Core\FormProtection\BackendFormProtection::setSessionTokenFromRegistry ( )

Sets the session token for the user from the registry and returns it additionally.


Definition at line 139 of file BackendFormProtection.php.

References TYPO3\CMS\Core\FormProtection\AbstractFormProtection\$sessionToken.

◆ storeSessionTokenInRegistry()

TYPO3\CMS\Core\FormProtection\BackendFormProtection::storeSessionTokenInRegistry ( )

Stores the session token in the registry to have it available during re-login of the user.

Definition at line 154 of file BackendFormProtection.php.

Member Data Documentation

◆ $backendUser

BackendUserAuthentication TYPO3\CMS\Core\FormProtection\BackendFormProtection::$backendUser

Keeps the instance of the user which existed during creation of the object.

Definition at line 81 of file BackendFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\BackendFormProtection\__construct().

◆ $registry

Registry TYPO3\CMS\Core\FormProtection\BackendFormProtection::$registry

Instance of the registry, which is used to permanently persist the session token so that it can be restored during re-login.

Definition at line 88 of file BackendFormProtection.php.

Referenced by TYPO3\CMS\Core\FormProtection\BackendFormProtection\__construct().