The Token class is used to set and check a form token to verify that the a form post isn't being spoofed. It requires $arrConfig['TokenField'] and $arrConfig['TokenSessionName'] to be defined in the site configuration file to store the hidden form field name and the session variable name respectively. A secondary benefit of the Token class is that it stops a user from reloading a posted form and re-posting the data.
In order to verify a form post there must be a hidden field containing a token that's also stored in the user's session. When the form has been submitted the posted field is matched with the tokens in the session. If a match is found the post is considered valid.
The CommonHooks class includes a verifyToken() method that automatically verifies the token anytime there is $_POST data. Alternately the verification can be done manually on a case by case basis.
<form method="post">
<?php echo(Form::getHidden(AppConfig::get('TokenField'), Token::initToken())); ?>
...
</form>
//if the verification fails display a fatal error
if (!empty($_POST) && !Token::verifyRequest()) {
AppRegistry::get('Bootstrap')->fatal();
}
//instantiate the common hooks object
$objCommonHooks = new CommonHooks();
//add the hook to always verify the form post
$objBootstrap->registerPreDispatchHook(array($objCommonHooks, 'verifyToken'));