Hidden Input Types and CSRF Token

TheBigK

TheBigK

Well-known member
Recently, I encountered the following types of lines that are typically found on overlays for delete and save actions.

PHP: 
<input type="hidden" name="_xfConfirm" value="1" />
    <input type="hidden" name="_xfToken" value="{$visitor.csrf_token_page}" />
    <input type="hidden" name="redirect" value="{$redirect}" />

So far, I've been able to use them simply by copying the code; but while writing a 'Delete' functionality, I stumbled upon the _xfConfirm ; which is beyond my comprehension at present.

I tried searching for CSRF and it's got something to do with JSON which is completely alien to me as of now. Can someone tell me what exactly is the significance of _xfConfirm, _xfToken and 'redirect' in the above lines of code?
 
_xfConfirm is used with the isConfirmedPost method inside controllers - look at a few delete actions.

_xfToken is the CSRF token.

redirect is generally used when the page to redirect to after the action changes, and the redirect target is the content of that field.

Liam
 
Liam W said:
redirect is generally used when the page to redirect to after the action changes, and the redirect target is the content of that field.
Click to expand...
I added a delete functionality to my addon that displays a list of few items; and it works properly even without the 'redirect' thingy. Looks like it defaults to current page.

Well, I'm curious - why doesn't delete work just the same way as 'save'. I can have 'save' functionality just with _xfToken; but delete requires both?
 
The CSRF checks are done when the POST method is used (or the URI has js as the first two characters) so they should be present in all save and delete actions.

Liam
 
For the admin forms (using the <xen:form> tags), you don't need to add the

Code: 
<input type="hidden" name="_xfToken" value="{$visitor.csrf_token_page}" />

as XenForo does this for you when the admin templates are compiled.

CSRF means Cross Site Request Forgery and with the param _xfToken, XenForo checks if the request originates from a safe location and you yourself initiated the request.

And as for _xfConfirm, it is just a "helper" parameter so that XenForo can determine if the request is a "confirmed post" when you call the "$this->isConfirmedPost()" from your controller class. ;)
 
You must log in or register to reply here.

Similar threads

Mr Lucky
Cannot reproduce Select for moderation counter does not work when Paypal donation button on page
Replies
1
Views
538
Jeremy P
Jeremy P
asprin
  • Solved
XF 2.1 Why is the first hidden input value being populated with a random token value?
Replies
1
Views
405
asprin
asprin
RandomForums
  • Question Question
XF 2.0 Filters menu in sidebar
Replies
1
Views
372
Oblivion Knight
Oblivion Knight
LPH
XF 2.0 Value of _xfToken outside XF
Replies
2
Views
3K
victormarconi
victormarconi
LPH
Login after external form creates user
Replies
1
Views
843
LPH
LPH
Top Bottom