SessionCSRF class

Provides an API for cross site request forgery protection.

// output somewhere in form markup when rendering a form
echo $session->CSRF->renderInput();
// when processing form (POST request), check to see if token is present
if($session->CSRF->hasValidToken()) {
  // form submission is valid
  // okay to process
} else {
  // form submission is NOT valid
  throw new WireException('CSRF check failed!');
}
// this alternative to hasValidToken() throws WireCSRFException when invalid
$session->CSRF->validate(); 

Click any linked item for full usage details and examples. Hookable methods are indicated with the icon. In addition to those shown below, the SessionCSRF class also inherits all the methods and properties of: Wire.

Show class?             Show args?        

Initiating

NameReturnSummary 
SessionCSRF::getSingleUseToken()
arrayGet a CSRF Token name and value that can only be used once 
SessionCSRF::getToken()
arrayGet a CSRF Token name and value 
SessionCSRF::getTokenName()
stringGet a CSRF Token name, or create one if it doesn't yet exist 
SessionCSRF::getTokenTime()
stringGet a CSRF Token timestamp 
SessionCSRF::getTokenValue()
stringGet a CSRF Token value as stored in the session, or create one if it doesn't yet exist 
SessionCSRF::renderInput()
stringRender a form input[hidden] containing the token name and value, as looked for by hasValidToken() 

Validating

NameReturnSummary 
SessionCSRF::hasValidToken()
boolReturns true if the current POST request contains a valid CSRF token, false if not 
SessionCSRF::validate()
boolThrows an exception if the token is invalid 

Resetting

Additional methods and properties

In addition to the methods and properties above, SessionCSRF also inherits the methods and properties of these classes:

API reference based on ProcessWire core version 3.0.135

Twitter updates

  • New post: Version 3.0.135 of ProcessWire on the dev branch focuses on some .htaccess updates, adds clarity to debug mode, and improves upon the installer— More
    5 July 2019
  • ProcessWire 3.0.133 adds a useful new Page::meta() method for a new type of page-specific persistent data storage, adds the ability for users to create their own bookmarks in Lister, and has a handy and time saving update for the asmSelect input type— More
    14 June 2019
  • New post: This week we’ll take a look at 3 different WEBP image strategies that you can use in ProcessWire 3.0.132+. Then we’ll dive into a major update for the Google Client API module, and finish up by outlining some useful new updates in FormBuilder— More
    31 May 2019

Latest news

  • ProcessWire Weekly #270
    This week in the 270th issue of ProcessWire Weekly we're going to cover the SearchEngine module, feature some recent support forum highlights, and introduce a brand new site of the week. Read on!
    Weekly.pw / 13 July 2019
  • ProcessWire 3.0.135 core updates
    Version 3.0.135 of ProcessWire on the dev branch focuses on .htaccess updates, adds additional layers of security, adds clarity to debug mode, and improves upon the installer.
    Blog / 3 July 2019
  • Subscribe to weekly ProcessWire news

“ProcessWire is like a breath of fresh air. So powerful yet simple to build with and customise, and web editors love it too.” —Margaret Chatwin, Web developer