Provides an API for cross site request forgery protection.

// output somewhere in form markup when rendering a form
echo $session->CSRF->renderInput();
// when processing form (POST request), check to see if token is present
if($session->CSRF->hasValidToken()) {
  // form submission is valid
  // okay to process
} else {
  // form submission is NOT valid
  throw new WireException('CSRF check failed!');
}
// this alternative to hasValidToken() throws WireCSRFException when invalid
$session->CSRF->validate(); 

Click any linked item for full usage details and examples. Hookable methods are indicated with the icon. In addition to those shown below, the SessionCSRF class also inherits all the methods and properties of: Wire.

Initiating / Validating / Resetting

Show “SessionCSRF”             Show Arguments        

Initiating

NameReturnSummary 
SessionCSRF::getSingleUseToken()
arrayGet a CSRF Token name and value that can only be used once
SessionCSRF::getToken()
arrayGet a CSRF Token name and value
SessionCSRF::getTokenName()
stringGet a CSRF Token name, or create one if it doesn't yet exist
SessionCSRF::getTokenTime()
stringGet a CSRF Token timestamp
SessionCSRF::getTokenValue()
stringGet a CSRF Token value as stored in the session, or create one if it doesn't yet exist
SessionCSRF::renderInput()
stringRender a form input[hidden] containing the token name and value, as looked for by hasValidToken()

Validating

NameReturnSummary 
SessionCSRF::hasValidToken()
boolReturns true if the current POST request contains a valid CSRF token, false if not
SessionCSRF::validate()
boolThrows an exception if the token is invalid

Resetting

NameReturnSummary 
SessionCSRF::resetAll()
(nothing)Clear out all saved token values
SessionCSRF::resetToken()
(nothing)Clear out token value

Additional methods and properties

In addition to the methods and properties above, SessionCSRF also inherits the methods and properties of these classes:

API reference based on ProcessWire core version 3.0.62