XF 2.0 Value of _xfToken outside XF

[LPH]

Currently to login to XF externally, I have these three values passed. The _xfToken is blank.

<input type="hidden" name="cookie_check" value="0"/>
<input type="hidden" name="redirect" value="<?php echo $redirect ?>"/>
<input type="hidden" name="_xfToken" value=""/>

XF2 code includes ' . htmlspecialchars($this->app['csrf.token']) . ' and so I was trying to figure out how to match it. Below isn't quite right because I'm missing the name-arguments pair needed in the fn.

<input type="hidden" name="cookie_check" value="0"/>
<input type="hidden" name="redirect" value="<?php echo $redirect ?>"/>
<input type="hidden" name="_xfToken" value="<?php htmlspecialchars( \XF::app()->templater()->fn('', 'csrf.token') ) ?>"/>

What is the purpose of the _xfToken and is it necessary?

 

[Mike]

It's to prevent CSRF security issues and it is generally needed. You can access it via:

\XF::app()->get('csrf.token')

Note however that it's done via a cookie though -- there is some tricky stuff here because you need to read an existing cookie and potentially set a new one.

Saying that, the login path explicitly skips the CSRF token check roughly because it's a common thing to put on an external page.

 

[victormarconi]

It's to prevent CSRF security issues and it is generally needed. You can access it via:

\XF::app()->get('csrf.token')

Note however that it's done via a cookie though -- there is some tricky stuff here because you need to read an existing cookie and potentially set a new one.

Saying that, the login path explicitly skips the CSRF token check roughly because it's a common thing to put on an external page.

Is there an API which I can manage users login / logout?
I'd like to call these functions from an existing Laravel app.

Whenever the user logs in Laravel, It would call this API to make the user log into Xenforo.