Coding standards
Security in ResourceSpace
Developer reference
Database
Action functions
Admin functions
Ajax functions
Annotation functions
API functions
Collections functions
Comment functions
Config functions
CSV export functions
Dash functions
Debug functions
Encryption functions
Facial recognition functions
File functions
General functions
Language functions
Log functions
Login functions
Message functions
Migration functions
Node functions
PDF functions
Plugin functions
Render functions
Reporting functions
Request functions
Research functions
Slideshow functions
Theme permission functions
User functions
Video functions
Database functions
Metadata functions
Resource functions
Search functions
Map functions
Job functions
Tab functions
Test functions

Overview

CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.

With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like adding new users, changing their email address, and so forth. If the victim is part of a "Super Admin" user group, CSRF can compromise the entire web application.

How to prevent

Use generateFormToken($form_id) to render a hidden input tag with the CSRF token for this form (mentioned in the form_id argument).

Always enforcePostRequest($ajax) when processing state-changing operations. Most common use case should be enforcePostRequest(getval("ajax", false)).

Add CSRF tokens until you no longer have failed CSRF validation errors. Add enforcePostRequest() where needed and double check the process works by attempting the same request using the GET method.

For AJAX requests, please use echo generateAjaxToken($form_id); in your post data. This will add a JSON "identifier: value" pair. IMPORTANT: make sure generateAjaxToken() is always used at the end of post data and there is no comma after it as this function will return an empty string if CSRF is disabled on a system.

If there is ever a need to use these in a pure JS file, then the identifier should be set using the $CSRF_token_identifier configuration option and the token generated using generateCSRFToken().