security::csrf::validate (public)

 security::csrf::validate [ -tokenname tokenname ] \
    [ -allowempty allowempty ]

Defined in packages/acs-tcl/tcl/security-procs.tcl

Validate a CSRF token and call security::csrf::fail the request if invalid.

Switches:
-tokenname (optional, defaults to "__csrf_token")
-allowempty (optional, defaults to "false")
Returns:
nothing

Testcases:
create_workflow_with_instance
Source code:
        if {![info exists ::$tokenname] || ![ns_conn isconnected]} {
            #
            # If there is no global CSRF token, or we are not in a
            # connection thread, we accept everything.  If there is
            # no CSRF token, we assume, that its generation is
            # deactivated,
            #
            return
        }

        set oldToken [ns_queryget $tokenname]
        if {$oldToken eq ""} {
            #
            # There is no token in the query/form parameters, we
            # can't validate, since there is no token.
            #
            if {$allowempty} {
                return
            }
            fail
        }

        set token [token -tokenname $tokenname]

        if {$oldToken ne $token} {
            ::security::log session_id "CSRF old token <$oldToken> new token <$token> peeraddr [ad_conn peeraddr]"
            fail
        }
Generic XQL file:
packages/acs-tcl/tcl/security-procs.xql

PostgreSQL XQL file:
packages/acs-tcl/tcl/security-procs-postgresql.xql

Oracle XQL file:
packages/acs-tcl/tcl/security-procs-oracle.xql

[ hide source ] | [ make this the default ]
Show another procedure: