26 lines
1016 B
Plaintext
26 lines
1016 B
Plaintext
:sig
|
|
bool csrf_valid(String submitted_token, String session_name = "uce-session", String token_name = "csrf_token")
|
|
|
|
:params
|
|
submitted_token : value received from the request, usually `context.post["csrf_token"]`
|
|
session_name : session/cookie name used by `csrf_token()`
|
|
token_name : form/action token namespace used by `csrf_token()`
|
|
return value : `true` when the submitted token matches the session token
|
|
|
|
:content
|
|
Starts the named session if needed and checks `submitted_token` against the stored CSRF token using constant-time comparison. It does not create a token when none exists, so a request without a previously rendered form token fails closed.
|
|
|
|
Use this before mutating state from POST forms or other browser-submitted requests.
|
|
|
|
:example
|
|
String token = csrf_token("uce-doc-session");
|
|
print(csrf_valid(token, "uce-doc-session") ? "valid\n" : "invalid\n");
|
|
print(csrf_valid("bad-token", "uce-doc-session") ? "bad valid\n" : "bad invalid\n");
|
|
|
|
:see
|
|
>http
|
|
csrf_token
|
|
csrf_rotate
|
|
crypto_equal
|
|
session_start
|