1. class
  2. SilverStripe
  3. \
  4. Security
  5. \
  6. SecurityToken

SecurityToken

class SecurityToken implements TemplateGlobalProvider (View source)

Cross Site Request Forgery (CSRF) protection for the Form class and other GET links.

Can be used globally (through SecurityToken::inst()) or on a form-by-form basis Form->getSecurityToken().

Usage in forms

This protective measure is automatically turned on for all new Form instances, and can be globally disabled through disable().

Usage in custom controller actions

class MyController extends Controller {
 function mygetaction($request) {
     if(!SecurityToken::inst()->checkRequest($request)) return $this->httpError(400);

     // valid action logic ...
 }
}

Make token name form specific for additional forgery protection.

Traits

Configurable

Provides extensions to this object to integrate it with standard config API methods.

Injectable

A class that can be instantiated or replaced via DI

Properties

protected static string $default_name
protected static SecurityToken $inst
protected static bool $enabled
protected string $name

Methods

public static 
Config_ForClass
config()

Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .....).

from  Configurable
public
mixed
stat(string $name) deprecated

Get inherited config value

from  Configurable
public
mixed
uninherited(string $name)

Gets the uninherited value for the given config option

from  Configurable
public
$this
set_stat(string $name, mixed $value) deprecated

Update the config value for a given property

from  Configurable
public static 
Injectable
create(mixed ...$args)

An implementation of the factory method, allows you to create an instance of a class

from  Injectable
public static 
Injectable
singleton(string $class = null)

Creates a class instance by the "singleton" design pattern.

from  Injectable
public
__construct(string $name = null)

No description

public static 
SecurityToken
inst()

Gets a global token (or creates one if it doesnt exist already).

public static 
disable()

Globally disable the token (override with NullSecurityToken) implementation. Note: Does not apply for

public static 
enable()

Globally enable tokens that have been previously disabled through disable.

public static 
bool
is_enabled()

No description

public static 
string
get_default_name()

No description

public static 
int
getSecurityID()

Returns the value of an the global SecurityToken in the current session

public
setName(string $name)

No description

public
string
getName()

No description

public
string
getValue()

No description

public
$this
setValue(string $val)

No description

protected
Session
getSession()

Returns the current session instance from the injector

public
reset()

Reset the token to a new value.

public
bool
check(string $compare)

Checks for an existing CSRF token in the current users session.

public
bool
checkRequest(HTTPRequest $request)

See check().

protected
string
getRequestToken(HTTPRequest $request)

Get security token from request

public
HiddenField|false
updateFieldSet(FieldList $fieldset)

Note: Doesn't call FormField->setForm() on the returned HiddenField, you'll need to take care of this yourself.

public
string
addToUrl(string $url)

No description

public
bool
isEnabled()

You can't disable an existing instance, it will need to be overwritten like this:

$old = SecurityToken::inst(); // isEnabled() returns true
SecurityToken::disable();
$new = SecurityToken::inst(); // isEnabled() returns false

protected
string
generate()

No description

public static 
array
get_template_global_variables()

Called by SSViewer to get a list of global variables to expose to the template, the static method to call on this class to get the value for those variables, and the class to use for casting the returned value for use in a template

Details

in Configurable at line 20
static Config_ForClass config()

Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .....).

Return Value

Config_ForClass

in Configurable at line 32
mixed stat(string $name) deprecated

deprecated 5.0 Use ->config()->get() instead

Get inherited config value

Parameters

string $name

Return Value

mixed

in Configurable at line 44
mixed uninherited(string $name)

Gets the uninherited value for the given config option

Parameters

string $name

Return Value

mixed

in Configurable at line 57
$this set_stat(string $name, mixed $value) deprecated

deprecated 5.0 Use ->config()->set() instead

Update the config value for a given property

Parameters

string $name
mixed $value

Return Value

$this

in Injectable at line 26
static Injectable create(mixed ...$args)

An implementation of the factory method, allows you to create an instance of a class

This method will defer class substitution to the Injector API, which can be customised via the Config API to declare substitution classes.

This can be called in one of two ways - either calling via the class directly, or calling on Object and passing the class name as the first parameter. The following are equivalent: $list = DataList::create(SiteTree::class); $list = SiteTree::get();

Parameters

mixed ...$args

Return Value

Injectable

in Injectable at line 43
static Injectable singleton(string $class = null)

Creates a class instance by the "singleton" design pattern.

It will always return the same instance for this class, which can be used for performance reasons and as a simple way to access instance methods which don't rely on instance data (e.g. the custom SilverStripe static handling).

Parameters

string $class

Optional classname to create, if the called class should not be used

Return Value

Injectable

The singleton instance

at line 68
__construct(string $name = null)

No description

Parameters

string $name

at line 78
static SecurityToken inst()

Gets a global token (or creates one if it doesnt exist already).

Return Value

SecurityToken

at line 91
static disable()

Globally disable the token (override with NullSecurityToken) implementation. Note: Does not apply for

at line 100
static enable()

Globally enable tokens that have been previously disabled through disable.

at line 109
static bool is_enabled()

No description

Return Value

bool

at line 117
static string get_default_name()

No description

Return Value

string

at line 126
static int getSecurityID()

Returns the value of an the global SecurityToken in the current session

Return Value

int

at line 135
setName(string $name)

No description

Parameters

string $name

at line 145
string getName()

No description

Return Value

string

at line 153
string getValue()

No description

Return Value

string

at line 171
$this setValue(string $val)

No description

Parameters

string $val

Return Value

$this

at line 183
protected Session getSession()

Returns the current session instance from the injector

Return Value

Session

Exceptions

Exception

at line 197
reset()

Reset the token to a new value.

at line 214
bool check(string $compare)

Checks for an existing CSRF token in the current users session.

This check is automatically performed in Form->httpSubmission() if a form has security tokens enabled. This direct check is mainly used for URL actions on FormField that are not routed through Form->httpSubmission().

Typically you'll want to check Form->securityTokenEnabled() before calling this method.

Parameters

string $compare

Return Value

bool

at line 225
bool checkRequest(HTTPRequest $request)

See check().

Parameters

HTTPRequest $request

Return Value

bool

at line 237
protected string getRequestToken(HTTPRequest $request)

Get security token from request

Parameters

HTTPRequest $request

Return Value

string

at line 257
HiddenField|false updateFieldSet(FieldList $fieldset)

Note: Doesn't call FormField->setForm() on the returned HiddenField, you'll need to take care of this yourself.

Parameters

FieldList $fieldset

Return Value

HiddenField|false

at line 272
string addToUrl(string $url)

No description

Parameters

string $url

Return Value

string

at line 287
bool isEnabled()

You can't disable an existing instance, it will need to be overwritten like this:

$old = SecurityToken::inst(); // isEnabled() returns true
SecurityToken::disable();
$new = SecurityToken::inst(); // isEnabled() returns false

Return Value

bool

at line 297
protected string generate()

No description

Return Value

string

at line 303
static array get_template_global_variables()

Called by SSViewer to get a list of global variables to expose to the template, the static method to call on this class to get the value for those variables, and the class to use for casting the returned value for use in a template

If the method to call is not included for a particular template variable, a method named the same as the template variable will be called

If the casting class is not specified for a particular template variable, ViewableData::$default_cast is used

The first letter of the template variable is case-insensitive. However the method name is always case sensitive.

Return Value

array

Returns an array of items. Each key => value pair is one of three forms:

  • template name (no key)
  • template name => method name
  • template name => [], where the array can contain these key => value pairs
    • "method" => method name
    • "casting" => casting class to use (i.e., Varchar, HTMLFragment, etc)