Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Template Questions /

[resolved] How do you retrieve the SecurityID value?


Reply


3 Posts   2270 Views

Avatar
1k2k3

Community Member, 15 Posts

19 August 2010 at 2:48pm

Edited: 19/08/2010 6:38pm

How do I retrieve the current SecurityID value after a page has been refreshed?

And then put that value into a Hidden Input Box within the SilverStripe Theme for example.

<input class="hidden nolabel" type="hidden" id="Form_Form_SecurityID" name="SecurityID" value="Current SecurityID value here" />

The reason I would like to be able to retrieve this value on refresh. Is because I'm using a newsletter module http://ssorg.bigbird.silverstripe.com/newsletter-module/ and I have hard coded the form into my SilverStripe theme using the 'Page Source' from the subscription page created within the CMS.

Screen dump: http://img707.imageshack.us/img707/314/newsletterareasample.jpg

<!-- Newsletter Code start -->
   <div id="stylized">
   <form id="Form_Form" action="/silverstripe/subscription/Form" method="post" enctype="application/x-www-form-urlencoded">
               <img alt="Resources" src="$ThemeDir/images/Newsletter.gif" />
               <label>Email
               <span class="small">Add a valid address:</span>
               </label>
   <p id="Form_Form_error" class="message " style="display: none"></p>
   <fieldset>
         <div class="field CompositeField nolabel" id="MemberInfoSection">
            <div id="Email" class="field text">
               <div class="middleColumn">
               <input type="text" class="text" id="Form_Form_Email" name="Email" value="" />
               </div>
            </div>
         </div>
      <input class="hidden nolabel" type="hidden" id="Form_Form_SecurityID" name="SecurityID" value="12119" />
      <div class="clear"><!-- --></div>
   </fieldset>
      <div class="Actions">
         <input class="action "
         id="Form_Form_action_doSubscribe"
         type="submit"
         name="action_doSubscribe"
         value="Submit"
         title="Submit" />
      </div>
   </form>
   </div>
   <!-- Newsletter Code start -->

At the moment though because the valve '12119' does not change, the first subscription into the newsletter module works A okay but the second and third subscriptions return the error.

SecurityID doesn't match, possible CSRF attack.

Avatar
1k2k3

Community Member, 15 Posts

19 August 2010 at 3:58pm

Edited: 19/08/2010 4:02pm

Resolved. even though it just took a little bit of researching I hope this helps other people who may of had same issue.

The variable $securityID from \silverstripe\sapphire\forms\form.php, stores the SecurityID value I was looking for.

I found it by looking through the document : http://svn.silverstripe.com/open/modules/sapphire/branches/trunk-ssbook/forms/Form.php

      // Protection against CSRF attacks
      if($this->securityTokenEnabled()) {
         $securityID = Session::get('SecurityID');

         if(!$securityID || !isset($vars['SecurityID']) || $securityID != $vars['SecurityID']) {
            $this->httpError(400, "SecurityID doesn't match, possible CSRF attack.");
         }
      }

My code for the newsletter area is..

   <!-- Newsletter Code start -->
   <div id="stylized">
   <form id="Form_Form" action="/silverstripe/subscription/Form" method="post" enctype="application/x-www-form-urlencoded">
               <img alt="Resources" src="$ThemeDir/images/Newsletter.gif" />
               <label>Email
               <span class="small">Add a valid address:</span>
               </label>
   <p id="Form_Form_error" class="message " style="display: none"></p>
   <fieldset>
         <div class="field CompositeField nolabel" id="MemberInfoSection">
            <div id="Email" class="field text">
               <div class="middleColumn">
               <input type="text" class="text" id="Form_Form_Email" name="Email" value="" />
               </div>
            </div>
         </div>
      <input class="hidden nolabel" type="hidden" id="Form_Form_SecurityID" name="SecurityID" value="$securityID" />
      <div class="clear"><!-- --></div>
   </fieldset>
      <div class="Actions">
         <input class="action "
         id="Form_Form_action_doSubscribe"
         type="submit"
         name="action_doSubscribe"
         value="Submit"
         title="Submit" />
      </div>
   </form>
   </div>
   <!-- Newsletter Code end -->

Which returns a confirmation page.

Your Subscription to the newsletter has been successful.

Avatar
qbahamutp

Community Member, 8 Posts

22 August 2011 at 8:34pm

Thanks so much for sharing this :)