1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hidden Input Types and CSRF Token

Discussion in 'XenForo Development Discussions' started by TheBigK, Aug 14, 2015.

  1. TheBigK

    TheBigK Well-Known Member

    Recently, I encountered the following types of lines that are typically found on overlays for delete and save actions.

    <input type="hidden" name="_xfConfirm" value="1" />
    input type="hidden" name="_xfToken" value="{$visitor.csrf_token_page}/>
    input type="hidden" name="redirect" value="{$redirect}/>
    So far, I've been able to use them simply by copying the code; but while writing a 'Delete' functionality, I stumbled upon the _xfConfirm ; which is beyond my comprehension at present.

    I tried searching for CSRF and it's got something to do with JSON which is completely alien to me as of now. Can someone tell me what exactly is the significance of _xfConfirm, _xfToken and 'redirect' in the above lines of code?
  2. Liam W

    Liam W Well-Known Member

    _xfConfirm is used with the isConfirmedPost method inside controllers - look at a few delete actions.

    _xfToken is the CSRF token.

    redirect is generally used when the page to redirect to after the action changes, and the redirect target is the content of that field.

  3. TheBigK

    TheBigK Well-Known Member

    I added a delete functionality to my addon that displays a list of few items; and it works properly even without the 'redirect' thingy. Looks like it defaults to current page.

    Well, I'm curious - why doesn't delete work just the same way as 'save'. I can have 'save' functionality just with _xfToken; but delete requires both?
  4. Liam W

    Liam W Well-Known Member

    The CSRF checks are done when the POST method is used (or the URI has js as the first two characters) so they should be present in all save and delete actions.

    TheBigK likes this.
  5. Mr. Goodie2Shoes

    Mr. Goodie2Shoes Well-Known Member

    For the admin forms (using the <xen:form> tags), you don't need to add the

    <input type="hidden" name="_xfToken" value="{$visitor.csrf_token_page}" />
    as XenForo does this for you when the admin templates are compiled.

    CSRF means Cross Site Request Forgery and with the param _xfToken, XenForo checks if the request originates from a safe location and you yourself initiated the request.

    And as for _xfConfirm, it is just a "helper" parameter so that XenForo can determine if the request is a "confirmed post" when you call the "$this->isConfirmedPost()" from your controller class. ;)
    TheBigK likes this.

Share This Page