security::csrf::new (public)

 security::csrf::new [ -tokenname tokenname ] [ -user_id user_id ]

Defined in packages/acs-tcl/tcl/security-procs.tcl

Create a security token to protect against CSRF (Cross-Site Request Forgery). The token is set (and cached) in a global per-thread variable and can be included in forms e.g. via the following command.

        <if @::__csrf_token@ defined>
            <input type="hidden" name="__csrf_token" value="@::__csrf_token;literal@">
        </if>

The token is automatically cleared together with other global variables at the end of the processing of every request.

The optional argument user_id is currently ignored, but it is there, since there are algorithms published to calculate the CSRF token based on a user_id. So far, i found no evidence that these should be used, but the argument is there as a reminder, such the interface does not have to be used, when we switch to such an algorithm.

Switches:

-tokenname

(defaults to "__csrf_token") (optional)

-user_id

(optional)

Returns:

CSRF token

Author:

Gustaf Neumann

Partial Call Graph (max 5 caller/called nodes):

Testcases:

No testcase defined.

Source code:

        set globalTokenName ::$tokenname
        if {[info exists $globalTokenName] && [set $globalTokenName] ne ""} {
            return [set $globalTokenName]
        }

        set token [token -tokenname $tokenname]
        return [set $globalTokenName $token]

Generic XQL file:

packages/acs-tcl/tcl/security-procs.xql

PostgreSQL XQL file:

packages/acs-tcl/tcl/security-procs-postgresql.xql

Oracle XQL file:

packages/acs-tcl/tcl/security-procs-oracle.xql