webmcp

view framework/env/request/set_csrf_secret.lua @ 157:004d2d50419e

find changesets by author, revision, files, or words in the commit message
Allow direct usage of json.null values in JSON library (for writing, not reading)
author jbe
date Thu Jul 31 03:45:33 2014 +0200 (2014-07-31)
parents 9fdfb27f8e67
children 32ec28229bb5
line source
1 --[[--
2 request.set_csrf_secret(
3 secret -- secret random string
4 )
5
6 Sets a secret string to be used as protection against cross-site request forgery attempts. This string will be transmitted to each action via a hidden form field named "_webmcp_csrf_secret". If this function is called during an action, and there is no CGI GET/POST parameter "_webmcp_csrf_secret" already being set to the given secret, then an error will be thrown to prohibit execution of the action.
7
8 --]]--
9
10 function request.set_csrf_secret(secret)
11 if
12 request.get_action() and
13 cgi.params._webmcp_csrf_secret ~= secret
14 then
15 error("Cross-Site Request Forgery attempt detected");
16 end
17 request._csrf_secret = secret
18 end

Impressum / About Us