28 lines
1.1 KiB
Plaintext
28 lines
1.1 KiB
Plaintext
:sig
|
|
String csrf_field(String session_name = "uce-session", String token_name = "csrf_token", String field_name = "")
|
|
|
|
:params
|
|
session_name : session/cookie name to store the token under
|
|
token_name : form/action token namespace
|
|
field_name : submitted POST field name; defaults to `token_name`
|
|
return value : HTML hidden input containing the active CSRF token
|
|
|
|
:content
|
|
Starts the named session if needed and returns the standard hidden form input for a CSRF token. The field name and generated token value are HTML-escaped.
|
|
|
|
Use this in ordinary server-rendered POST forms when the submitted field name should match `token_name`, or pass `field_name` when several forms share the same submitted parameter name but need separate token namespaces. Validate the submitted value with `csrf_valid(context.post[field_name], session_name, token_name)` before mutating state.
|
|
|
|
:example
|
|
?><form method="post">
|
|
<? print(csrf_field("uce-doc-session")); ?>
|
|
<? print(csrf_field("uce-doc-session", "profile_form", "csrf_token")); ?>
|
|
<button type="submit">Save</button>
|
|
</form><?
|
|
|
|
:see
|
|
>http
|
|
csrf_token
|
|
csrf_valid
|
|
csrf_rotate
|
|
session_start
|