-
Notifications
You must be signed in to change notification settings - Fork 3
Nonce manager for Coldfusion forms for more information, wiki, issue tracker, and feature requests visit
designfrontier/TokenizerCFC
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
Welcome to Tokenizer 1.1! Tokenizer is a Nonce/Token management system for preventing XSRF (cross site request forgery) on coldfusion based forms. It's purpose is to create a simple standardized way to manage tokens and prevent blind posts that could be hazardous to your users or system. Check out the examples, tokenizer.riaforge.org, and designfrontier.net if you have questions or issues. The article about Tokenizer and implementing it is here: http://designfrontier.net/articles/?id=9 QUICK NOTES ON IMPLENTATION Create tokenizer object in VARIABLES scope and reference functions. DETAILED NOTES ON IMPLEMENTATION The process of implementation goes something like this: Step 1 -> Create a tokenizer instance and pass it the session scope (if the page posts to itself place this at the very top, before the form processing that will save you having to complete step 4 later) variables.tokenizer = createObject('component','admin.com.tokenizer').init(session); Name of the tokenizer variable doesn't really matter here. Step 2 -> Create a new token. This takes two arguments: 1) The name of the token (no spaces, must be a valid variable name) 2) the time in seconds before the token expires (make this reasonable considering the length of the form) IMPORTANT:: If the form self posts then this should be done after the form processing code but before the display of the form itself. variables.tokenizer.createToken('tokenName',300); Step 3 -> Write the token to the page with in the <form> <cfoutput>#variables.tokenizer.writeTokenToPage('tokenName')#</cfoutput> The rest of the implementation happens in your form processing code Step 4 -> Create an instance of the tokenizer if you are self-posting this form and you followed Step 1 (hint hint) then you can skip this step and collect $200. variables.tokenizer = createObject('component','admin.com.tokenizer').init(session); Step 5 -> in the IF statement that kicks off form processing add the following AND variables.tokenizer.checkToken('tokenName',form.xsrf_token) This does all the checking to ensure that the token is valid Step 6 -> inside the form processing IF statement and after you are done with all the form processing add this line <cfset variables.tokenizer.removeToken('tokenName')> This removes the token and prevents the form from being double posted. Changes ----------------------------------------- 1.2 Added a getTokenValue method for working with AJAX requests and tokens. Updated the example docs with the AJAX examples. 1.1 Corrected a bug in the submit.cfm that referenced the wrong token name when removing the token. Added a checkTokenLife() method that returns the number of seconds left in the life of a token. Added a checkTokenLifeRemote() method for remote access to the number of seconds left in the life of a token. Added output="no" to the component and the methods within it. 1.0.2 The only change in 1.0.2 was the addition of demos for self posting and posting to another page. 1.0.1 The only change for 1.0.1 is the addition of an id to the hidden input that is created by writeTokenToPage() 1.0.0 This is the base release. Check out the CFC and the comments in it to understand all the features, etc. Requirements ----------------------------------------- Tokenizer has been tested on CF 9.0.1 and Railo 3.2.2+. It should also work on CF 8 and OpenBD, though it has not been tested in these configurations. If you test it and it works email [email protected] and I'll add it to this list and credit you with testing it. Thanks! Credits ----------------------------------------- The application.cfc in the examples is heavily based on Ben Nadel's application.cfc template (http://www.bennadel.com/blog/726-ColdFusion-Application-cfc-Tutorial-And-Application-cfc-Reference.htm). The concept for tokenizer draws heavily on Jason Dean's may fantastic security articles (htttp://12robots.com) which you should be reading. The AJAX header code draws on http://existdissolve.com/2010/10/cfscript-alternative-to-cfheader/ for writing headers in cfscript. Tokenizer is created and maintained by Daniel Sellers www.designfrontier.net
About
Nonce manager for Coldfusion forms for more information, wiki, issue tracker, and feature requests visit
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published