Token

Filepath: phork/php/utilities/Token.class.php

The Token class is used to set and check a form token to verify that the a form post isn't being spoofed. It requires $arrConfig['TokenField'] and $arrConfig['TokenSessionName'] to be defined in the site configuration file to store the hidden form field name and the session variable name respectively. A secondary benefit of the Token class is that it stops a user from reloading a posted form and re-posting the data if the token isn't revived.

In order to verify a form post there must be a hidden field containing a token that's also stored in the user's session. When the form has been submitted the posted field is matched with the tokens in the session. If a match is found the post is considered valid.

The CommonHooks class includes a verifyToken() method that automatically verifies the token anytime there is $_POST data. Alternately the verification can be done manually on a case by case basis.


Form Example

<form method="post">
    <?php echo(Form::getHidden(AppConfig::get('TokenField'), Token::initToken())); ?>
    ...
</form>

Verification Example

//if the verification fails display a fatal error
if (!empty($_POST) && !Token::verifyRequest()) {
    AppRegistry::get('Bootstrap')->fatal();
}

Hooks Example

//instantiate the common hooks object
$objCommonHooks = new CommonHooks();

//add the hook to always verify the form post
$objBootstrap->registerPreDispatchHook(array($objCommonHooks, 'verifyToken'));

Reviving a Token

//revive the current token so it can be used again
Token::reviveToken();