CSRFGenerateToken

Generates a random token and stores it in the session to protect against Cross-Site Request Forgery (CSRF) attacks. You can optionally provide a specific key to store in the session, and optionally force the generation of a new token.

CSRFGenerateToken( [key] [,forceNew] ) → returns Token

Argument Reference for the CSRFGenerateToken function

key

Required: No
A random token is generated based on the key provided. This key is stored in the session.

forceNew

Required: No
Default: false
If set to true, a new token is generated every time the method is called. If false, and in the case where a token already exists [for the key], the same key is returned. Values:
  • true
  • false

Compatibility

ColdFusion:

Version 10+ CF 10+ Added this function.

Examples sample code invoking the CSRFGenerateToken function


CSRF Form Protection

Use CSRFGenerateToken() to generate a unique token for each form submission.

<form action="#CGI.SCRIPT_NAME#" method="post">
	<input type="hidden" name="f#hash( 'userId', 'SHA-384', 'UTF-8', 1000 )#" value="#encrypt( userObj.getUserId(), rc.key, rc.alg, rc.enc )#">
	<input type="hidden" name="f#hash( 'formToken', 'SHA-512', 'UTF-8', 500 )#" value="#CSRFGenerateToken( forceNew = true )#">
	<input type="text" name="emailAddress" value="#userObj.getEmailAddress()#">
	<input type="text" name="phoneNumber" value="#userObj.getPhoneNumber()#">
	<input type="submit" name="btnSubmit" value="Change Profile Info">
</form>

CSRF Form Protection w/ specified key

Use CSRFGenerateToken() to generate a unique token for each form submission. This example specifies a key to store the token into the session with.

<form action="#CGI.SCRIPT_NAME#" method="post">
	<input type="hidden" name="f#hash( 'userId', 'SHA-384', 'UTF-8', 1000 )#" value="#encrypt( userObj.getUserId(), rc.key, rc.alg, rc.enc )#">
	<input type="hidden" name="f#hash( 'formToken', 'SHA-512', 'UTF-8', 500 )#" value="#CSRFGenerateToken( key = 'profile', forceNew = true )#">
	<input type="text" name="emailAddress" value="#userObj.getEmailAddress()#">
	<input type="text" name="phoneNumber" value="#userObj.getPhoneNumber()#">
	<input type="submit" name="btnSubmit" value="Change Profile Info">
</form>

CSRF Form Protection w/ automated key generation

Use CSRFGenerateToken() to generate a unique token for each form submission. This example specifies a key automatically to store the token into the session with (for multiple open browser tabs).

<cfset tokenVar = 't' & lCase( hash( createUUID() & randRange( 1000, 100000 ), 'MD5', 'UTF-8', 250 ) )>
<form action="#CGI.SCRIPT_NAME#" method="post">
	<input type="hidden" name="f#hash( 'userId', 'SHA-384', 'UTF-8', 1000 )#" value="#encrypt( userObj.getUserId(), rc.key, rc.alg, rc.enc )#">
	<input type="hidden" name="f#hash( 'tokenVar', 'SHA-512', 'UTF-8', 500 )#" value="#tokenVar#">
	<input type="hidden" name="f#hash( 'formToken', 'SHA-512', 'UTF-8', 500 )#" value="#CSRFGenerateToken( key = tokenVar, forceNew = true )#">
	<input type="text" name="emailAddress" value="#userObj.getEmailAddress()#">
	<input type="text" name="phoneNumber" value="#userObj.getPhoneNumber()#">
	<input type="submit" name="btnSubmit" value="Change Profile Info">
</form>

Fork me on GitHub