Validates all POST requests on backend were intentional and not part of a forged request.
Add as a submodulegit submodule add https://github.com/richadams/xsrf_protection.git extensions/xsrf_protection --recursive
Author: Rich Adams (http://richadams.me)
Licensed under the GPL.
Protects the backend of Symphony CMS against cross-site request forgery.
What it does
- Adds a
xsrfinput to any form using the POST method with a one use token.
- When the backend receives a POST request, the token is validated.
- If the token is incorrect, not provided, or has expired, then the request is rejected.
Only tested in Symphony CMS 2.3
- Unzip the file.
- Put the xsrf_protection folder into your extension directory.
- Enable the same as any other extension.
Add the following to your configuration file,
"xsrf-protection" => array("token-lifetime" => "15 mins", // How long the tokens are valid for. "invalidate-tokens-on-request" => true), // If true, then tokens are invalidated on every request or after expiry time, whichever is first. If false, tokens only expire after the lifetime.
- Token Lifetime - How long before a token expires and becomes invalid. Default is 15 minutes. Can specify any
- Invalidate Tokens On Request - If set, this will invalidate any previous tokens on every request. If not set, then tokens will only be invalidated once their expiry time is reached. Most times you probably want this disabled, otherwise when a user goes back and submits something again, they'll get the XSRF error even if the token is still within it's lifetime.
Requires Symphony 2.3
- Initial release.