CSRFVerifyToken

Validates the passed in token against the token stored in the session for a specific key. Used to help prevent Cross-Site Request Forgery (CSRF) attacks.

CSRFVerifyToken( token [,key] ) → returns Boolean

Argument Reference for the CSRFVerifyToken function

token

Required: Yes
The passed in token that is to be validated against the token stored in the session.

key

Required: No
The key against which the token was originally generated.

Compatibility

ColdFusion:

Version 10+ CF 10+ Added this function.

Examples sample code invoking the CSRFVerifyToken function


CSRF Form Validation

Use CSRFVerifyToken() to Verify a unique token for each form submission.

<cfscript>
	param name="FORM[ 'f' & hash( 'userId', 'SHA-384', 'UTF-8', 1000 )]" default="0";
	param name="FORM[ 'f' & hash( 'formToken', 'SHA-512', 'UTF-8', 500 )]" default="0";
	param name="FORM.emailAddress" default="";
	param name="FORM.phoneNumber" default="";

	if( !CSRFVerifyToken( FORM[ 'f' & hash( 'formToken', 'SHA-512', 'UTF-8', 500 )] )
	) {
		// formToken is not a valid token
		// redirect user to login form (etc.)
	}
</cfscript>

CSRF Form Validation w/ specified key

Use CSRFVerifyToken() to Verify a unique token for each form submission.

<cfscript>
	param name="FORM[ 'f' & hash( 'userId', 'SHA-384', 'UTF-8', 1000 )]" default="0";
	param name="FORM[ 'f' & hash( 'formToken', 'SHA-512', 'UTF-8', 500 )]" default="0";
	param name="FORM.emailAddress" default="";
	param name="FORM.phoneNumber" default="";

	if( !CSRFVerifyToken( FORM[ 'f' & hash( 'formToken', 'SHA-512', 'UTF-8', 500 )], 'profile' )
	) {
		// formToken is not a valid token
		// redirect user to login form (etc.)
	}
</cfscript>

CSRF Form Validation w/ automated key validation

Use CSRFVerifyToken() to Verify a unique token with a unique session variable for each form submission (for multiple open browser tabs).

<cfscript>
	param name="FORM[ 'f' & hash( 'userId', 'SHA-384', 'UTF-8', 1000 )]" default="0";
	param name="FORM[ 'f' & hash( 'tokenVar', 'SHA-512', 'UTF-8', 500 )]" default="0";
	param name="FORM[ 'f' & hash( 'formToken', 'SHA-512', 'UTF-8', 500 )]" default="0";
	param name="FORM.emailAddress" default="";
	param name="FORM.phoneNumber" default="";

	if( !CSRFVerifyToken( FORM[ 'f' & hash( 'formToken', 'SHA-512', 'UTF-8', 500 )], FORM[ 'f' & hash( 'tokenVar', 'SHA-512', 'UTF-8', 500 )] )
	) {
		// formToken is not a valid token
		// redirect user to login form (etc.)
	}
</cfscript>

Fork me on GitHub