Hidden Input Types and CSRF Token

TheBigK

TheBigK

Well-known member
Recently, I encountered the following types of lines that are typically found on overlays for delete and save actions.

PHP: 
<input type="hidden" name="_xfConfirm" value="1" />
    <input type="hidden" name="_xfToken" value="{$visitor.csrf_token_page}" />
    <input type="hidden" name="redirect" value="{$redirect}" />

So far, I've been able to use them simply by copying the code; but while writing a 'Delete' functionality, I stumbled upon the _xfConfirm ; which is beyond my comprehension at present.

I tried searching for CSRF and it's got something to do with JSON which is completely alien to me as of now. Can someone tell me what exactly is the significance of _xfConfirm, _xfToken and 'redirect' in the above lines of code?
 
_xfConfirm is used with the isConfirmedPost method inside controllers - look at a few delete actions.

_xfToken is the CSRF token.

redirect is generally used when the page to redirect to after the action changes, and the redirect target is the content of that field.

Liam
 
Liam W said:
redirect is generally used when the page to redirect to after the action changes, and the redirect target is the content of that field.
Click to expand...
I added a delete functionality to my addon that displays a list of few items; and it works properly even without the 'redirect' thingy. Looks like it defaults to current page.

Well, I'm curious - why doesn't delete work just the same way as 'save'. I can have 'save' functionality just with _xfToken; but delete requires both?
 
The CSRF checks are done when the POST method is used (or the URI has js as the first two characters) so they should be present in all save and delete actions.

Liam
 
For the admin forms (using the <xen:form> tags), you don't need to add the

Code: 
<input type="hidden" name="_xfToken" value="{$visitor.csrf_token_page}" />

as XenForo does this for you when the admin templates are compiled.

CSRF means Cross Site Request Forgery and with the param _xfToken, XenForo checks if the request originates from a safe location and you yourself initiated the request.

And as for _xfConfirm, it is just a "helper" parameter so that XenForo can determine if the request is a "confirmed post" when you call the "$this->isConfirmedPost()" from your controller class. ;)
 
You must log in or register to reply here.

Similar threads

digitalpoint
CSRF token not always updated with XF.KeepAlive.refresh()
Replies
11
Views
1K
digitalpoint
digitalpoint
asprin
  • Solved
XF 2.1 Why is the first hidden input value being populated with a random token value?
Replies
1
Views
418
asprin
asprin
K
Fixed POST on non-existing route without CSRF token should not give status code 200
Replies
1
Views
362
XF Bug Bot
XF Bug Bot
I
XF 2.0 CSRF Token Question
Replies
2
Views
2K
S Thomas
S
K
  • Question Question
XF 1.4 Server Error Log: csrf-token-refresh
Replies
3
Views
1K
kayl
K
Back
Top Bottom