csrfVerifyToken

Validates the passed in token against the token stored in the session for a specific key. Used to help prevent Cross-Site Request Forgery (CSRF) attacks.

csrfVerifyToken( token [,key] ) → returns boolean

csrfVerifyToken Argument Reference

token string
Required

The passed in token that is to be validated against the token stored in the session.

key string

The key against which the token was originally generated.

Examples sample code invoking the csrfVerifyToken function

Use csrfVerifyToken() to Verify a unique token for each form submission.

<cfscript>
	param name="FORM[ 'f' & hash( 'userId', 'SHA-384', 'UTF-8', 1000 )]" default="0";
	param name="FORM[ 'f' & hash( 'formToken', 'SHA-512', 'UTF-8', 500 )]" default="0";
	param name="FORM.emailAddress" default="";
	param name="FORM.phoneNumber" default="";

	if( !csrfVerifyToken( FORM[ 'f' & hash( 'formToken', 'SHA-512', 'UTF-8', 500 )] )
	) {
		// formToken is not a valid token
		// redirect user to login form (etc.)
	}
</cfscript>

Use csrfVerifyToken() to Verify a unique token for each form submission.

<cfscript>
	param name="FORM[ 'f' & hash( 'userId', 'SHA-384', 'UTF-8', 1000 )]" default="0";
	param name="FORM[ 'f' & hash( 'formToken', 'SHA-512', 'UTF-8', 500 )]" default="0";
	param name="FORM.emailAddress" default="";
	param name="FORM.phoneNumber" default="";

	if( !csrfVerifyToken( FORM[ 'f' & hash( 'formToken', 'SHA-512', 'UTF-8', 500 )], 'profile' )
	) {
		// formToken is not a valid token
		// redirect user to login form (etc.)
	}
</cfscript>

Use csrfVerifyToken() to Verify a unique token with a unique session variable for each form submission (for multiple open browser tabs).

<cfscript>
	param name="FORM[ 'f' & hash( 'userId', 'SHA-384', 'UTF-8', 1000 )]" default="0";
	param name="FORM[ 'f' & hash( 'tokenVar', 'SHA-512', 'UTF-8', 500 )]" default="0";
	param name="FORM[ 'f' & hash( 'formToken', 'SHA-512', 'UTF-8', 500 )]" default="0";
	param name="FORM.emailAddress" default="";
	param name="FORM.phoneNumber" default="";

	if( !csrfVerifyToken( FORM[ 'f' & hash( 'formToken', 'SHA-512', 'UTF-8', 500 )], FORM[ 'f' & hash( 'tokenVar', 'SHA-512', 'UTF-8', 500 )] )
	) {
		// formToken is not a valid token
		// redirect user to login form (etc.)
	}
</cfscript>

Fork me on GitHub