webmcp
annotate framework/env/request/set_csrf_secret.lua @ 96:db4bf2e6513c
Fixed errors in sample webserver configurations and request/__init.lua
| author | jbe |
|---|---|
| date | Wed Oct 10 18:41:11 2012 +0200 (2012-10-10) |
| parents | 9fdfb27f8e67 |
| children | 32ec28229bb5 |
| rev | line source |
|---|---|
| jbe/bsw@0 | 1 --[[-- |
| jbe/bsw@0 | 2 request.set_csrf_secret( |
| jbe/bsw@0 | 3 secret -- secret random string |
| jbe/bsw@0 | 4 ) |
| jbe/bsw@0 | 5 |
| jbe/bsw@0 | 6 Sets a secret string to be used as protection against cross-site request forgery attempts. This string will be transmitted to each action via a hidden form field named "_webmcp_csrf_secret". If this function is called during an action, and there is no CGI GET/POST parameter "_webmcp_csrf_secret" already being set to the given secret, then an error will be thrown to prohibit execution of the action. |
| jbe/bsw@0 | 7 |
| jbe/bsw@0 | 8 --]]-- |
| jbe/bsw@0 | 9 |
| jbe/bsw@0 | 10 function request.set_csrf_secret(secret) |
| jbe/bsw@0 | 11 if |
| jbe/bsw@0 | 12 request.get_action() and |
| jbe/bsw@0 | 13 cgi.params._webmcp_csrf_secret ~= secret |
| jbe/bsw@0 | 14 then |
| jbe/bsw@0 | 15 error("Cross-Site Request Forgery attempt detected"); |
| jbe/bsw@0 | 16 end |
| jbe/bsw@0 | 17 request._csrf_secret = secret |
| jbe/bsw@0 | 18 end |