jbe/bsw@0: --[[--
jbe/bsw@0: request.set_csrf_secret(
jbe/bsw@0:   secret                 -- secret random string
jbe/bsw@0: )
jbe/bsw@0: 
jbe/bsw@0: Sets a secret string to be used as protection against cross-site request forgery attempts. This string will be transmitted to each action via a hidden form field named "_webmcp_csrf_secret". If this function is called during an action, and there is no CGI GET/POST parameter "_webmcp_csrf_secret" already being set to the given secret, then an error will be thrown to prohibit execution of the action.
jbe/bsw@0: 
jbe/bsw@0: --]]--
jbe/bsw@0: 
jbe/bsw@0: function request.set_csrf_secret(secret)
jbe/bsw@0:   if
jbe/bsw@0:     request.get_action() and
jbe@223:     request._http_request.post_params["_webmcp_csrf_secret"] ~= secret
jbe/bsw@0:   then
jbe/bsw@0:     error("Cross-Site Request Forgery attempt detected");
jbe/bsw@0:   end
jbe/bsw@0:   request._csrf_secret = secret
jbe/bsw@0: end