jrCore_set_csrf_cookie()

Table of Contents:


Overview
Example
  • Overview

    The jrCore_set_csrf_cookie() javascript function is used in ajax and javascript redirect functions to verify that incoming urls are local. It is possible for a different site to POST information to your server, if your server accepts that information as if it had come from itself, that provides a method for hackers to fiddle with your system. Adding a CSRF cookie before submission ensures that the server side processor knows that the incoming data is genuine.
  • Example

    This example comes from the discussion module ( jrDiscussion )

    In javascript set the url you are posting too is set jrCore_set_csrf_cookie(url); then POSTed to.
    function jrDiscussionFollowTopicToggle(topic_id)
    {
        var url = core_system_url + '/' + jrDiscussion_url + '/toggle_topic_watch/__ajax=1';
        jrCore_set_csrf_cookie(url);
        $.post(url, {
    //......
  • Then in the server side function simply add jrCore_validate_location_url(); to the top of your view function to validate incoming requests.
    //-----------------------------------------------------------------------
    
    // ajax, toggle between watching and not watching a topic of a discussion
    
    //----------------------------------------------------------------------
    
    function view_jrDiscussion_toggle_topic_watch($_post, $_user, $_conf)
    {
        jrUser_session_require_login();
        jrCore_validate_location_url();
  • If external requests come in without that validation, they will not get processed.

    External requests can't set a cookie for a local domain, so you're safe.

Share This

Tags