webmcp

view framework/env/request/set_csrf_secret.lua @ 406:36f0d1d5ed7d

find changesets by author, revision, files, or words in the commit message
Further fixes in mondelefant.connect{...} (including proper handling of garbage collection in case of memory allocation errors); Code cleanup (use luaL_setmetatable, which is available since Lua 5.2)
author jbe
date Wed Jan 06 18:59:58 2016 +0100 (2016-01-06)
parents 32ec28229bb5
children
line source
1 --[[--
2 request.set_csrf_secret(
3 secret -- secret random string
4 )
5
6 Sets a secret string to be used as protection against cross-site request forgery attempts. This string will be transmitted to each action via a hidden form field named "_webmcp_csrf_secret". If this function is called during an action, and there is no CGI GET/POST parameter "_webmcp_csrf_secret" already being set to the given secret, then an error will be thrown to prohibit execution of the action.
7
8 --]]--
9
10 function request.set_csrf_secret(secret)
11 if
12 request.get_action() and
13 request._http_request.post_params["_webmcp_csrf_secret"] ~= secret
14 then
15 error("Cross-Site Request Forgery attempt detected");
16 end
17 request._csrf_secret = secret
18 end

Impressum / About Us