security::csrf::validate

security::csrf::validate (public)

 security::csrf::validate [ -tokenname tokenname ] \
    [ -allowempty allowempty ]

Defined in packages/acs-tcl/tcl/security-procs.tcl
Validate a CSRF token and call security::csrf::fail the request if invalid.

Switches:

-tokenname
(defaults to "__csrf_token") (optional)
-allowempty
(defaults to "false") (optional)

Returns:
nothing

Partial Call Graph (max 5 caller/called nodes):

Testcases:
create_workflow_with_instance

Source code:
        if {![info exists ::$tokenname] || ![ns_conn isconnected]} {
            #
            # If there is no global CSRF token, or we are not in a
            # connection thread, we accept everything.  If there is
            # no CSRF token, we assume, that its generation is
            # deactivated,
            #
            return
        }

        set oldToken [ns_queryget $tokenname]
        if {$oldToken eq ""} {
            #
            # There is not token in the query/form parameters, we
            # can't validate, since there is no token.
            #
            if {$allowempty} {
                return
            }
            fail
        }

        set token [token -tokenname $tokenname]
        if {$oldToken ne $token} {
            fail
        }
Generic XQL file:

packages/acs-tcl/tcl/security-procs.xql

PostgreSQL XQL file:

packages/acs-tcl/tcl/security-procs-postgresql.xql

Oracle XQL file:

packages/acs-tcl/tcl/security-procs-oracle.xql

[ hide source ] | [ make this the default ]