SessionCSRF class

Provides an API for cross site request forgery protection.

// output somewhere in form markup when rendering a form
echo $session->CSRF->renderInput();
// when processing form (POST request), check to see if token is present
if($session->CSRF->hasValidToken()) {
  // form submission is valid
  // okay to process
} else {
  // form submission is NOT valid
  throw new WireException('CSRF check failed!');
}
// this alternative to hasValidToken() throws WireCSRFException when invalid
$session->CSRF->validate(); 

Click any linked item for full usage details and examples. Hookable methods are indicated with the icon. In addition to those shown below, the SessionCSRF class also inherits all the methods and properties of: Wire.

Show class?             Show args?        

Initiating

NameReturnSummary 
SessionCSRF::getSingleUseToken()
arrayGet a CSRF Token name and value that can only be used once 
SessionCSRF::getToken()
arrayGet a CSRF Token name and value 
SessionCSRF::getTokenName()
stringGet a CSRF Token name, or create one if it doesn't yet exist 
SessionCSRF::getTokenTime()
stringGet a CSRF Token timestamp 
SessionCSRF::getTokenValue()
stringGet a CSRF Token value as stored in the session, or create one if it doesn't yet exist 
SessionCSRF::renderInput()
stringRender a form input[hidden] containing the token name and value, as looked for by hasValidToken() 

Validating

NameReturnSummary 
SessionCSRF::hasValidToken()
boolReturns true if the current POST request contains a valid CSRF token, false if not 
SessionCSRF::validate()
boolThrows an exception if the token is invalid 

Resetting

Additional methods and properties

In addition to the methods and properties above, SessionCSRF also inherits the methods and properties of these classes:

API reference based on ProcessWire core version 3.0.130

Twitter updates

  • New post: ProcessWire 3.0.131 adds support for partial/resumable downloads and http stream delivery, and contains several updates to our comments system, among other updates— More
    3 May 2019
  • New post: Quietly and without interruption this week, the ProcessWire.com website (and all subdomains) moved from a single static server to a load-balanced multi-server environment, giving us even more horsepower and redundancy than before— More
    19 April 2019
  • New post: With ProcessWire 3.0.130, this week we’ll take a detailed look at a few useful new API additions made in the last few weeks, along with examples of each—More
    12 April 2019

Latest news

  • ProcessWire Weekly #262
    The 262nd issue of ProcessWire Weekly will cover the latest module updates, both Pro modules and non-commercial ones. We've also got some highlights from the support forum, and a beautiful new site of the week. Read on!
    Weekly.pw / 18 May 2019
  • Lots of module updates
    In this post we take a quick look at the new version of ProFields Repeater Matrix, yet another new version of FormBuilder, and a new version of the GoogleClientAPI module.
    Blog / 17 May 2019
  • Subscribe to weekly ProcessWire news

“I am currently managing a ProcessWire site with 2 million+ pages. It’s admirably fast, and much, much faster than any other CMS we tested.” —Nickie, Web developer