This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

Form Questions /

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

$LoginForm - why disableSecurityToken?

2 Posts 1933 Views

Antony

Community Member, 4 Posts

21 October 2015 at 9:00am

Hi
We have just conducted a security check on our site and found that both $LoginForm and the MemberLoginForm (at http://example.com/Security/login) do not use a SecurityID. According to the docs, form objects automatically contain a SecurityID to help prevent Cross-Site Request Forgery (https://docs.silverstripe.org/en/3.2/developer_guides/security/secure_coding/).
After a bit of hunting I found within the __construct function of LoginForm.php:

$this->disableSecurityToken();

Why is disableSecurityToken being called here? Is there a particular situation where this is needed? How is it possible to override it?
Any advice please? Thanks in advance.
Cheers Antony

Devlin

Community Member, 344 Posts

21 October 2015 at 9:40pm

Edited: 21/10/2015 11:36pm

I have no idea. You should open an issue on GitHub for this. Since it is an abstract class, maybe it's for custom LoginForms like OpenID?

How is it possible to override it?

You could overload the class via Injector. Something like:

Injector:
  MemberLoginForm:
    class: MyMemberLoginForm

class MyMemberLoginForm extends MemberLoginForm{
	public function __construct($controller, $name, $fields = null, $actions = null, $checkCurrentUser = true) {
		parent::__construct($controller, $name, $fields, $actions, $checkCurrentUser);

		$this->enableSecurityToken();
	}
}

Return to top