security::csrf::new (public)

 security::csrf::new [ -tokenname tokenname ] [ -user_id user_id ]

Defined in packages/acs-tcl/tcl/security-procs.tcl

Create a security token to protect against CSRF (Cross-Site Request Forgery). The token is set (and cached) in a global per-thread variable and can be included in forms e.g. via the following command.

        <if @::__csrf_token@ defined>
            <input type="hidden" name="__csrf_token" value="@::__csrf_token;literal@">
        </if>

The token is automatically cleared together with other global variables at the end of the processing of every request.

The optional argument user_id is currently ignored, but it is there, since there are algorithms published to calculate the CSRF token based on a user_id. So far, i found no evidence that these should be used, but the argument is there as a reminder, such the interface does not have to be used, when we switch to such an algorithm.

Switches:
-tokenname (optional, defaults to "__csrf_token")
-user_id (optional)
Returns:
CSRF token
Author:
Gustaf Neumann

Partial Call Graph (max 5 caller/called nodes):
%3 __ad_verify_signature __ad_verify_signature (private) security::csrf::new security::csrf::new __ad_verify_signature->security::csrf::new ad_sign ad_sign (public) ad_sign->security::csrf::new packages/search/lib/navbar.tcl packages/search/ lib/navbar.tcl packages/search/lib/navbar.tcl->security::csrf::new sec_handler sec_handler (private) sec_handler->security::csrf::new security::csrf::token security::csrf::token (private) security::csrf::new->security::csrf::token

Testcases:
No testcase defined.
[ show source ]
Show another procedure: