Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 120 lines (90 sloc) 5.028 kb
0c932d55 »
2011-06-02 added getTokenValue method to facilitate AJAX usage of tokenizer. Als…
1 <!---TOKENIZER v. 1.2
2 NOTES ON IMPLEMENTATION
3
4 The process of implementation goes something like this:
5
6 Step 1 -> Create a tokenizer instance and pass it the session scope (if the page posts to itself place this at the very top,
7 before the form processing that will save you having to complete step 4 later)
8
9 tokenizer = createObject('component','admin.com.tokenizer').init(session);
10
11 Name of the tokenizer variable doesn't really matter here.
12
13 Step 2 -> Create a new token. This takes two arguments: 1) The name of the token (no spaces, must be a valid variable name) 2) the time in seconds before the token expires (make this reasonable considering the length of the form)
14 IMPORTANT:: If the form self posts then this should be done after the form processing code but before the
15 display of the form itself.
16
17 tokenizer.createToken('tokenName',300);
18
19 Step 3 -> Write the token to the page with in the <form>
20
21 <cfoutput>#tokenizer.writeTokenToPage('tokenName')#</cfoutput>
22
23 The rest of the implementation happens in your form processing code
24
25 Step 4 -> Create an instance of the tokenizer if you are self-posting this form and you followed Step 1 (hint hint) then you
26 can skip this step and collect $200.
27
28 tokenizer = createObject('component','admin.com.tokenizer').init(session);
29
30 Step 5 -> in the IF statement that kicks off form processing add the following
31
32 AND tokenizer.checkToken('tokenName',form.xsrf_token)
33
34 This does all the checking to ensure that the token is valid
35
36 Step 6 -> inside the form processing IF statement and after you are done with all the form processing add this line
37
38 <cfset tokenizer.removeToken('tokenName')>
39
40 This removes the token and prevents the form from being double posted.
41 --->
42 <cfcomponent hint="Tokenizer v.1.2">
43 <cffunction name="init" access="public" returntype="tokenizer">
44 <cfargument name="sessionScope" type="struct" required="yes">
45
46 <cfscript>
47 variables.sessionScope = arguments.sessionScope;
48
49 if(not StructKeyExists(variables.sessionScope,'tokenStore')){
50 //create the token store if it does not exist
51 variables.sessionScope.tokenStore = structnew();
52 }
53
54 variables.tokenStore = variables.sessionScope.tokenStore;
55
56 return this;
57 </cfscript>
58 </cffunction>
59
60 <cffunction name="createToken" access="public" returntype="void">
61 <cfargument name="tokenName" required="true" type="string">
62 <cfargument name="tokenExpires" required="true" type="numeric" hint="The number of seconds before the token expires">
63 <cfscript>
64 if(not structKeyExists(variables.tokenStore,arguments.tokenName) OR isTokenExpired(arguments.tokenName)){
65 // Token is either expired or does not exist so we will create it
66 variables.tokenStore[arguments.tokenName] = {
67 token = createUUID(),
68 expires = dateAdd('s',arguments.tokenExpires,now())
69 };
70 }
71 </cfscript>
72 </cffunction>
73
74 <cffunction name="writeTokenToPage" access="public" returntype="string" hint="creates the hidden form input for doing tokenization">
75 <cfargument name="tokenName" required="true" type="string">
76
77 <cfscript>
78 return '<input type="hidden" name="xsrf_token" id="xsrf_token" value="' & variables.tokenStore[arguments.tokenName].token & '" />';
79 </cfscript>
80 </cffunction>
81
82 <cffunction name="isTokenExpired" access="public" returntype="boolean">
83 <cfargument name="tokenName" required="true" type="string">
84
85 <cfscript>
86 return structKeyExists(variables.tokenStore,arguments.tokenName) AND dateDiff('s',variables.sessionScope.tokenStore[arguments.tokenName].expires,now()) gte 0;
87 </cfscript>
88 </cffunction>
89
90 <cffunction name="checkToken" access="public" returntype="boolean">
91 <cfargument name="tokenName" required="true" type="string">
92 <cfargument name="tokenValue" required="true" type="string">
93
94 <cfscript>
95 return structKeyExists(variables.tokenStore,arguments.tokenName)
96 AND NOT isTokenExpired(arguments.tokenName)
97 AND arguments.tokenValue eq variables.tokenStore[arguments.tokenName].token;
98 </cfscript>
99 </cffunction>
100
101 <cffunction name="removeToken" access="public" returntype="void">
102 <cfargument name="tokenName" type="string" required="true">
103 <cfscript>
104 if(structKeyExists(variables.tokenstore,arguments.tokenName)){
105 structDelete(variables.tokenStore,arguments.tokenName);
106 }
107 </cfscript>
108 </cffunction>
109
110 <cffunction name="getTokenValue" access="public" returntype="string">
111 <cfargument name="tokenName" type="string" required="true">
112 <cfscript>
113 if(structKeyExists(variables.tokenstore,arguments.tokenName)){
114 return variables.tokenStore[arguments.tokenName].token;
115 }else{
116 return '';
117 }
118 </cfscript>
119 </cffunction>
34706c9f »
2011-05-19 Initial commit of Tokenizer. Currently at version 1.1
120 </cfcomponent>
Something went wrong with that request. Please try again.