Csrf() form submit

The CMS Questions
1

Hello.

Is there more details how to use this token?

Is there any check I can run? Basically like validate it in a form submit?

Best Regards

2

The answer is in that piece of documentation you already linked to above, please scroll down.

There’s also an example in the user registration cookbook, but it’s the same as above: User registration | Kirby CMS

1 Like
3

Thank’s i missed that :slight_smile: and thanks for the cook book example

4

I got one question left - Could I use the token also in combination with a session? If i don’t want to pass it direct in the form?

I have some validation running before I want to add the token as separated check.

$session->set('csrftoken, csrf());

and then in some php files.

$token = $session->get('csrftoken');
if(csrf($token){
     // token is true
  }

I have some code that switch to kirby()->impersonate('kirby'); and there is no login so I want to be 100% sure that the user is allowed to use api endpoints. I have some validation that checks fields.

So my idea is

Set the token on the form if valide

 if ($invalid = invalid($data, $rules, $messages)) {
      $alert = $invalid;
    } else {
       $session->set('csrftoken', csrf());
    }
  }

Than use it later on the API

[
      'pattern' => '/upload/',
      'method' => 'POST',
      'auth' => false,
      'action' => function ($id) {
       $token = $session->get('csrftoken');
       if(csrf($token){
            kirby()->impersonate('kirby')
            // Code for adding file
       }

      }
]

Update: yeah that works also quite well. :slight_smile: