csrfGenerateToken

Generates a random token and stores it in the session to protect against Cross-Site Request Forgery (CSRF) attacks. You can optionally provide a specific key to store in the session, and optionally force the generation of a new token.

csrfGenerateToken( [key] [,forceNew] ) → returns string

  1. CFDocs
  2. Functions
  3. ColdFusion 10 New Functions and Tags
  4. csrfGenerateToken
  5. CF10+
  6. Lucee4.5+
  7. 0 Issue
  8. Edit
See Also:   csrfVerifyToken

Argument Reference

key string

A random token is generated based on the key provided. This key is stored in the session.

forceNew boolean
Default: false

If set to true, a new token is generated every time the method is called. If false, and in the case where a token already exists [for the key], the same key is returned.

Examples
Sample code invoking the csrfGenerateToken function

Use csrfGenerateToken() to generate a unique token for each form submission.

<form action="#CGI.SCRIPT_NAME#" method="post">
	<input type="hidden" name="f#hash( 'userId', 'SHA-384', 'UTF-8', 1000 )#" value="#encrypt( userObj.getUserId(), rc.key, rc.alg, rc.enc )#">
	<input type="hidden" name="f#hash( 'formToken', 'SHA-512', 'UTF-8', 500 )#" value="#csrfGenerateToken( forceNew = true )#">
	<input type="text" name="emailAddress" value="#userObj.getEmailAddress()#">
	<input type="text" name="phoneNumber" value="#userObj.getPhoneNumber()#">
	<input type="submit" name="btnSubmit" value="Change Profile Info">
</form>

Use csrfGenerateToken() to generate a unique token for each form submission. This example specifies a key to store the token into the session with.

<form action="#CGI.SCRIPT_NAME#" method="post">
	<input type="hidden" name="f#hash( 'userId', 'SHA-384', 'UTF-8', 1000 )#" value="#encrypt( userObj.getUserId(), rc.key, rc.alg, rc.enc )#">
	<input type="hidden" name="f#hash( 'formToken', 'SHA-512', 'UTF-8', 500 )#" value="#csrfGenerateToken( key = 'profile', forceNew = true )#">
	<input type="text" name="emailAddress" value="#userObj.getEmailAddress()#">
	<input type="text" name="phoneNumber" value="#userObj.getPhoneNumber()#">
	<input type="submit" name="btnSubmit" value="Change Profile Info">
</form>

Use csrfGenerateToken() to generate a unique token for each form submission. This example specifies a key automatically to store the token into the session with (for multiple open browser tabs).

<cfset tokenVar = 't' & lCase( hash( createUUID() & randRange( 1000, 100000 ), 'MD5', 'UTF-8', 250 ) )>
<form action="#CGI.SCRIPT_NAME#" method="post">
	<input type="hidden" name="f#hash( 'userId', 'SHA-384', 'UTF-8', 1000 )#" value="#encrypt( userObj.getUserId(), rc.key, rc.alg, rc.enc )#">
	<input type="hidden" name="f#hash( 'tokenVar', 'SHA-512', 'UTF-8', 500 )#" value="#tokenVar#">
	<input type="hidden" name="f#hash( 'formToken', 'SHA-512', 'UTF-8', 500 )#" value="#csrfGenerateToken( key = tokenVar, forceNew = true )#">
	<input type="text" name="emailAddress" value="#userObj.getEmailAddress()#">
	<input type="text" name="phoneNumber" value="#userObj.getPhoneNumber()#">
	<input type="submit" name="btnSubmit" value="Change Profile Info">
</form>

Signup for cfbreak to stay updated on the latest news from the ColdFusion / CFML community. One email, every friday.

Fork me on GitHub