Reputation: 17553
Preventing CSRF in custom AJAX form submissions
I asked this question about reasons to use Drupal 7's Forms API as opposed to just processing form submission requests myself and eventually calling a function like node_save() or comment_save(). while a variety of reasons were given for using the Forms API, only one possible security vulnerability was raised: by not using Drupal 7's Forms API, I'd be missing out on the CSRF prevention techniques it uses. From what I've read, this basically involves the use of a token for validating requests.
My question is twofold:
- Is it possible to leverage Drupal's token method of CSRF prevention in the script I write to process the Ajax request, thereby entirely eliminating the added risk I'm assuming by not using the Forms API? If so, how?
- Does the Forms API employ techniques beyond the use of tokens that I should also implement?
Please note that I do not want this question to become a discussion of whether I should use the Forms API or not.
Upvotes: 0
Views: 834
Answers (1)
Reputation: 31647
The token is generated by drupal_get_token() and validated using drupal_valid_token().
Upvotes: 1
Related Questions
- CSRF only needed for ajax
- CSRF protection in PHP
- Preventing manual POST requests in a following system
- protecting against CSRF on ajax requests and forms without submit buttons
- Preventing CSRF and XSRF Attacks for jQuery $.post
- Protection from csrf
- CSRF Protection for non form post requests
- Is this all that needs to be done to prevent CSRF with PHP and Ajax?
- How to handle CSRF attacks when using ajax post?
- CSRF Protection in AJAX Requests using MVC2