Nonce manager for Coldfusion forms for more information, wiki, issue tracker, and feature requests visit
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Welcome to Tokenizer 1.1!

Tokenizer is a Nonce/Token management system for preventing XSRF (cross site request forgery) on coldfusion based forms.
It's purpose is to create a simple standardized way to manage tokens and prevent blind posts that could be hazardous to
your users or system. Check out the examples,, and if you have questions or issues.

The article about Tokenizer and implementing it is here:

Create tokenizer object in VARIABLES scope and reference functions.

The process of implementation goes something like this:
Step 1 -> Create a tokenizer instance and pass it the session scope (if the page posts to itself place this at the very top,
before the form processing that will save you having to complete step 4 later)
variables.tokenizer = createObject('component','').init(session);
Name of the tokenizer variable doesn't really matter here.

Step 2 -> Create a new token. This takes two arguments: 1) The name of the token (no spaces, must be a valid variable name) 2) the time in seconds before the token expires (make this reasonable considering the length of the form)
IMPORTANT:: If the form self posts then this should be done after the form processing code but before the
display of the form itself. 


Step 3 -> Write the token to the page with in the
The rest of the implementation happens in your form processing code

Step 4 -> Create an instance of the tokenizer if you are self-posting this form and you followed Step 1 (hint hint) then you
can skip this step and collect $200.

variables.tokenizer = createObject('component','').init(session);

Step 5 -> in the IF statement that kicks off form processing add the following
AND variables.tokenizer.checkToken('tokenName',form.xsrf_token)
This does all the checking to ensure that the token is valid

Step 6 -> inside the form processing IF statement and after you are done with all the form processing add this line
<cfset variables.tokenizer.removeToken('tokenName')>
This removes the token and prevents the form from being double posted.

	Added a getTokenValue method for working with AJAX requests and tokens.
	Updated the example docs with the AJAX examples.

	Corrected a bug in the submit.cfm that referenced the wrong token name when removing the token.
	Added a checkTokenLife() method that returns the number of seconds left in the life of a token.
	Added a checkTokenLifeRemote() method for remote access to the number of seconds left in the life of a token.
	Added output="no" to the component and the methods within it.

	The only change in 1.0.2 was the addition of demos for self posting and posting to another page.

	The only change for 1.0.1 is the addition of an id to the hidden input that is created by writeTokenToPage()

	This is the base release. Check out the CFC and the comments in it to understand all the features, etc.

Tokenizer has been tested on CF 9.0.1 and Railo 3.2.2+. It should also work on CF 8 and OpenBD, though it has not been
tested in these configurations. 

If you test it and it works email and I'll add it to this list and credit you with testing 
it. Thanks!

The application.cfc in the examples is heavily based on Ben Nadel's application.cfc template ( The concept 
for tokenizer draws heavily on Jason Dean's may fantastic security articles (htttp:// which you should be reading. The AJAX header code draws on  for writing headers in cfscript.

Tokenizer is created and maintained by Daniel Sellers