CSRFVerifyToken

Validates the passed in token against the token stored in the session for a specific key. Used to help prevent Cross-Site Request Forgery (CSRF) attacks.

CSRFVerifyToken( token [,key] ) → returns Boolean

CSRFVerifyToken Argument Reference

token
Required

The passed in token that is to be validated against the token stored in the session.

key

The key against which the token was originally generated.

Compatibility

ColdFusion:

Version 10+ CF 10+ Added this function.

Examples sample code invoking the CSRFVerifyToken function


CSRF Form Validation

Use CSRFVerifyToken() to Verify a unique token for each form submission.

<cfscript>
	param name="FORM[ 'f' & hash( 'userId', 'SHA-384', 'UTF-8', 1000 )]" default="0";
	param name="FORM[ 'f' & hash( 'formToken', 'SHA-512', 'UTF-8', 500 )]" default="0";
	param name="FORM.emailAddress" default="";
	param name="FORM.phoneNumber" default="";

	if( !CSRFVerifyToken( FORM[ 'f' & hash( 'formToken', 'SHA-512', 'UTF-8', 500 )] )
	) {
		// formToken is not a valid token
		// redirect user to login form (etc.)
	}
</cfscript>

CSRF Form Validation w/ specified key

Use CSRFVerifyToken() to Verify a unique token for each form submission.

<cfscript>
	param name="FORM[ 'f' & hash( 'userId', 'SHA-384', 'UTF-8', 1000 )]" default="0";
	param name="FORM[ 'f' & hash( 'formToken', 'SHA-512', 'UTF-8', 500 )]" default="0";
	param name="FORM.emailAddress" default="";
	param name="FORM.phoneNumber" default="";

	if( !CSRFVerifyToken( FORM[ 'f' & hash( 'formToken', 'SHA-512', 'UTF-8', 500 )], 'profile' )
	) {
		// formToken is not a valid token
		// redirect user to login form (etc.)
	}
</cfscript>

CSRF Form Validation w/ automated key validation

Use CSRFVerifyToken() to Verify a unique token with a unique session variable for each form submission (for multiple open browser tabs).

<cfscript>
	param name="FORM[ 'f' & hash( 'userId', 'SHA-384', 'UTF-8', 1000 )]" default="0";
	param name="FORM[ 'f' & hash( 'tokenVar', 'SHA-512', 'UTF-8', 500 )]" default="0";
	param name="FORM[ 'f' & hash( 'formToken', 'SHA-512', 'UTF-8', 500 )]" default="0";
	param name="FORM.emailAddress" default="";
	param name="FORM.phoneNumber" default="";

	if( !CSRFVerifyToken( FORM[ 'f' & hash( 'formToken', 'SHA-512', 'UTF-8', 500 )], FORM[ 'f' & hash( 'tokenVar', 'SHA-512', 'UTF-8', 500 )] )
	) {
		// formToken is not a valid token
		// redirect user to login form (etc.)
	}
</cfscript>

Fork me on GitHub