Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Template Questions /

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba

[resolved] How do you retrieve the SecurityID value?


Go to End
Reply


3 Posts   2785 Views

Avatar
1k2k3

Community Member, 15 Posts

19 August 2010 at 2:48pm

Edited: 19/08/2010 6:38pm

How do I retrieve the current SecurityID value after a page has been refreshed?

And then put that value into a Hidden Input Box within the SilverStripe Theme for example.

<input class="hidden nolabel" type="hidden" id="Form_Form_SecurityID" name="SecurityID" value="Current SecurityID value here" />

The reason I would like to be able to retrieve this value on refresh. Is because I'm using a newsletter module http://ssorg.bigbird.silverstripe.com/newsletter-module/ and I have hard coded the form into my SilverStripe theme using the 'Page Source' from the subscription page created within the CMS.

Screen dump: http://img707.imageshack.us/img707/314/newsletterareasample.jpg

<!-- Newsletter Code start -->
	<div id="stylized">
	<form  id="Form_Form" action="/silverstripe/subscription/Form" method="post" enctype="application/x-www-form-urlencoded">
					<img  alt="Resources" src="$ThemeDir/images/Newsletter.gif" />
					<label>Email
					<span class="small">Add a valid address:</span>
					</label>
	<p id="Form_Form_error" class="message " style="display: none"></p>
	<fieldset>
			<div class="field CompositeField  nolabel" id="MemberInfoSection">
				<div id="Email" class="field text">
					<div class="middleColumn">
					<input type="text" class="text" id="Form_Form_Email" name="Email" value="" />
					</div>
				</div>
			</div>
		<input class="hidden nolabel" type="hidden" id="Form_Form_SecurityID" name="SecurityID" value="12119" />
		<div class="clear"><!-- --></div>
	</fieldset>
		<div class="Actions">
			<input class="action " 
			id="Form_Form_action_doSubscribe" 
			type="submit" 
			name="action_doSubscribe" 
			value="Submit" 
			title="Submit" />
		</div>
	</form>
	</div>
	<!-- Newsletter Code start -->

At the moment though because the valve '12119' does not change, the first subscription into the newsletter module works A okay but the second and third subscriptions return the error.

SecurityID doesn't match, possible CSRF attack.

Avatar
1k2k3

Community Member, 15 Posts

19 August 2010 at 3:58pm

Edited: 19/08/2010 4:02pm

Resolved. even though it just took a little bit of researching I hope this helps other people who may of had same issue.

The variable $securityID from \silverstripe\sapphire\forms\form.php, stores the SecurityID value I was looking for.

I found it by looking through the document : http://svn.silverstripe.com/open/modules/sapphire/branches/trunk-ssbook/forms/Form.php

		// Protection against CSRF attacks
		if($this->securityTokenEnabled()) {
			$securityID = Session::get('SecurityID');

			if(!$securityID || !isset($vars['SecurityID']) || $securityID != $vars['SecurityID']) {
				$this->httpError(400, "SecurityID doesn't match, possible CSRF attack.");
			}
		}

My code for the newsletter area is..

	<!-- Newsletter Code start -->
	<div id="stylized">
	<form  id="Form_Form" action="/silverstripe/subscription/Form" method="post" enctype="application/x-www-form-urlencoded">
					<img  alt="Resources" src="$ThemeDir/images/Newsletter.gif" />
					<label>Email
					<span class="small">Add a valid address:</span>
					</label>
	<p id="Form_Form_error" class="message " style="display: none"></p>
	<fieldset>
			<div class="field CompositeField  nolabel" id="MemberInfoSection">
				<div id="Email" class="field text">
					<div class="middleColumn">
					<input type="text" class="text" id="Form_Form_Email" name="Email" value="" />
					</div>
				</div>
			</div>
		<input class="hidden nolabel" type="hidden" id="Form_Form_SecurityID" name="SecurityID" value="$securityID" />
		<div class="clear"><!-- --></div>
	</fieldset>
		<div class="Actions">
			<input class="action " 
			id="Form_Form_action_doSubscribe" 
			type="submit" 
			name="action_doSubscribe" 
			value="Submit" 
			title="Submit" />
		</div>
	</form>
	</div>
	<!-- Newsletter Code end -->

Which returns a confirmation page.

Your Subscription to the newsletter has been successful.

Avatar
qbahamutp

Community Member, 8 Posts

22 August 2011 at 8:34pm

Thanks so much for sharing this :)