Quick links: Content - sections - sub sections
EN

Trace: token

Jelix - The revealing, Token

Since Jelix of 1.1RC1, the appearance of the “fight” against CSRF with the tokens, not only to secure your forms, fully automatically and transparently, but not only!

How ?

Let suppose we edit an article 1 from the url http://localhost/article/edit/1

the code of the method “edit” will be :

function edit {
// get the ID from the URL 
$id = (integer) $this->param('id');
// if the validate button is not used, we initiate a form
if ($this->param('validate') == '') {
   $form = jForms::get('article~artdao',$id);
}
// the the validate button is submitted
else {
   // get the form instance
   $form = jForms::fill('article~artdao');
   $form->saveToDao('article~artdao',$id);
}
}

What will happened with this code ?

  1. The access of the edit page will be fine.
  2. The save of the data wont be fin and we will haev an error message :
[exception 835]  Invalid form token, you should fill the form correctly from the site ..lib/jelix/forms/jFormsBase.class.php 142

Even if we empty the cache of the application nothing will change, nothing will work…

So what's wrong ; why this error message ?

Just because during the initialisation of the $form instance (with jForms::get() ) we gave the ID parameter but we didnt use it with :

   $form = jForms::fill('article~artdao');

So, replace the code above, by this one

   $form = jForms::fill('article~artdao',$id);

and then the error message about the token will gone with the wind ;)

So here is a way to check that our form is correctly manage with the anti CSRF function ;-)

en/tutorials/jforms/token.txt · Last modified: 2012/01/31 10:00 by foxmask

Recent changes RSS feed Creative Commons License