27 lines
969 B
Plaintext
27 lines
969 B
Plaintext
:sig
|
|
String csrf_token(String session_name = "uce-session", String token_name = "csrf_token")
|
|
|
|
:params
|
|
session_name : session/cookie name to store the token under
|
|
token_name : form/action token namespace inside the session
|
|
return value : printable CSRF token for the active session
|
|
|
|
:content
|
|
Starts the named session if needed and returns a stable per-session CSRF token for `token_name`. Use it in hidden fields on forms that mutate server state, then verify the submitted value with `csrf_valid()` before applying the change.
|
|
|
|
Tokens are generated from cryptographic randomness and stored in `context.session` under an internal key. Use a different `token_name` when independent forms should have independent tokens.
|
|
|
|
:example
|
|
String token = csrf_token("uce-doc-session");
|
|
?><form method="post">
|
|
<input type="hidden" name="csrf_token" value="<?= token ?>">
|
|
<button type="submit">Save</button>
|
|
</form><?
|
|
|
|
:see
|
|
>http
|
|
csrf_valid
|
|
csrf_rotate
|
|
session_start
|
|
random_bytes
|