webmcp

annotate framework/env/request/set_csrf_secret.lua @ 23:3a6fe8663b26

find changesets by author, revision, files, or words in the commit message
Code cleanup and documentation added; Year in copyright notice changed to 2009-2010

Details:
- Changed quoting style in auth.openid.xrds_document{...}
- Fixed documentation for auth.openid.initiate{...}
- Added documentation for mondelefant
- Code-cleanup in mondelefant:
-- removed unneccessary lines "rows = PQntuples(res); cols = PQnfields(res);"
-- avoided extra copy of first argument (self) in mondelefant_conn_query
-- no rawget in meta-method "__index" of database result lists and objects
-- removed unreachable "return 0;" in meta-method "__newindex" of database result lists and objects
- Year in copyright notice changed to 2009-2010
- Version string changed to "1.1.1"
author jbe
date Fri Jun 04 19:00:34 2010 +0200 (2010-06-04)
parents 9fdfb27f8e67
children 32ec28229bb5
rev   line source
jbe/bsw@0 1 --[[--
jbe/bsw@0 2 request.set_csrf_secret(
jbe/bsw@0 3 secret -- secret random string
jbe/bsw@0 4 )
jbe/bsw@0 5
jbe/bsw@0 6 Sets a secret string to be used as protection against cross-site request forgery attempts. This string will be transmitted to each action via a hidden form field named "_webmcp_csrf_secret". If this function is called during an action, and there is no CGI GET/POST parameter "_webmcp_csrf_secret" already being set to the given secret, then an error will be thrown to prohibit execution of the action.
jbe/bsw@0 7
jbe/bsw@0 8 --]]--
jbe/bsw@0 9
jbe/bsw@0 10 function request.set_csrf_secret(secret)
jbe/bsw@0 11 if
jbe/bsw@0 12 request.get_action() and
jbe/bsw@0 13 cgi.params._webmcp_csrf_secret ~= secret
jbe/bsw@0 14 then
jbe/bsw@0 15 error("Cross-Site Request Forgery attempt detected");
jbe/bsw@0 16 end
jbe/bsw@0 17 request._csrf_secret = secret
jbe/bsw@0 18 end

Impressum / About Us