| GHengeveld |
|
|---|---|
|
Cotonti has a system in place to prevent CSRF. It uses a security token named "x" and is stored in $sys['xk'] in the code. Cotonti automatically creates a hidden input field for every form, which contains the current value of $sys['xk'], so when the form is submitted, the token is sent along with it. Upon receiving a POST request, Cotonti automatically verifies the value of "x" to match the value of $sys['xk']. If it doesn't match, the request is denied and an error page is returned. The value of $sys['xk'] is changed regularly. As an extension developer, you usually don't have to worry much about CSRF. If you use regular forms and send them using POST, Cotonti will handle the inclusion and validation of the security token automatically. However, if you're going to send stuff to the server using an AJAX POST request, you'll have to include the security key yourself. you can do this by simply using {PHP.sys.xk} in your tpl. For example:
jQuery.post(
"{PHP.cfg.mainurl}/{PHP|cot_url("plug", "e=myplugin", "", 1)}",
{ x: "{PHP.sys.xk}" }
);
If you want to verify the security token in a GET request, you can use cot_check_xg(). |
