SessionCSRF class

Provides an API for cross site request forgery protection.

// output somewhere in form markup when rendering a form
echo $session->CSRF->renderInput();
// when processing form (POST request), check to see if token is present
if($session->CSRF->hasValidToken()) {
  // form submission is valid
  // okay to process
} else {
  // form submission is NOT valid
  throw new WireException('CSRF check failed!');
}
// this alternative to hasValidToken() throws WireCSRFException when invalid
$session->CSRF->validate(); 

Click any linked item for full usage details and examples. Hookable methods are indicated with the icon. In addition to those shown below, the SessionCSRF class also inherits all the methods and properties of: Wire.

Show class?             Show args?        

Initiating

NameReturnSummary 
SessionCSRF::getSingleUseToken()
arrayGet a CSRF Token name and value that can only be used once 
SessionCSRF::getToken()
arrayGet a CSRF Token name and value 
SessionCSRF::getTokenName()
stringGet a CSRF Token name, or create one if it doesn't yet exist 
SessionCSRF::getTokenTime()
stringGet a CSRF Token timestamp 
SessionCSRF::getTokenValue()
stringGet a CSRF Token value as stored in the session, or create one if it doesn't yet exist 
SessionCSRF::renderInput()
stringRender a form input[hidden] containing the token name and value, as looked for by hasValidToken() 

Validating

NameReturnSummary 
SessionCSRF::hasValidToken()
boolReturns true if the current POST request contains a valid CSRF token, false if not 
SessionCSRF::validate()
boolThrows an exception if the token is invalid 

Resetting

Additional methods and properties

In addition to the methods and properties above, SessionCSRF also inherits the methods and properties of these classes:

API reference based on ProcessWire core version 3.0.160

Twitter updates

  • ProcessWire 3.0.161 adds support for selector operator stacking, enabling you automatically broaden searches in a single pages.find() call— More
    26 June 2020
  • ProcessWire 3.0.160 adds powerful new text-searching operators, bringing a new level of power to page-finding API calls, especially when it comes to search engine type queries. Post also includes a demo search engine where you can test it all out live— More
    19 June 2020
  • Preview of ProcessWire 3.0.160 with auto-enable of two-factor authentication, new version of TfaEmail and TfaTotp, and new selector operators coming next week. More
    12 June 2020

Latest news

  • ProcessWire Weekly #320
    In the 320th issue of ProcessWire Weekly we're going to check out the latest core updates (ProcessWire 3.0.161), a new third party module called Fieldtype Runtime only, an IndieWeb themed article from Francesco Schwarz, and more. Read on!
    Weekly.pw / 27 June 2020
  • Powerful new text-searching abilities in 3.0.160
    In ProcessWire 3.0.160 we’ve got some major upgrades and additions to our text-search abilities. This brings a whole new level of power to $pages->find() and similar API calls, especially when it comes to search engine type queries.
    Blog / 19 June 2020
  • Subscribe to weekly ProcessWire news

“ProcessWire is like a breath of fresh air. So powerful yet simple to build with and customise, and web editors love it too.” —Margaret Chatwin, Web developer